This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Second Time Computers are hanging on start after Sophos Auto Update Upgrade (Version 10.6.4 VE3.67.0)

Hello

We work with Sophos Enterprise Console and some Desktop Clients in a Client Preview Group Version 10.6.4 VE3.6.67.0.

Today is the second time, this Desktop Clients are hanging on start (no loging Screen) after Sophos AutoUpdate. All other Desktop Clients in other Group Version 10.6.3 VE3.64.3 didn't have any Troubles.

We moved all Clients out of the Preview Group.

Is this a known issue?

Thanks,

André



This thread was automatically locked due to age.
Parents
  • Hello André,

    I have a few running Preview without issues. How did you restore the network (as you'd need the network to apply the policy and downgrade them). 
    after Sophos AutoUpdate
    AutoUpdate usually checks several times a day (by default every 10 minutes), actually performs a minor update every few hours, so ... All lost connectivity at the same time? Is there just this symptom or are there additional errors or events?

    Christian 

  • Hello Christian,

    We have some other Desktop Clients (Windows 7, Windows 10) and virtual Server (W 2012 R2) without Problems running Preview.

    We start the Desktop Clients (Wake On Lan) in the night for patches (Microsoft, ...) and shut down them after upgrade. Sophos AutoUpdate intervall is set to 10 minutes. So the Desktop Clients gets the new Sophos Update in the night too.

    Next morning the users starts the Desktop Computer and the Network Interface is down.

    To restore the Network, we have to restart the Computer in safety mode. Set Sophos Services from autostart to manual. Then restart the Computer without the Sophos Service starting.

    Change the Client in the Enterprise Console in the regular Group (not Preview), new install from Enterprise Console on this Clients. The Client is working without errors.

    The Clients are running Windows 7. Hardware are different HP Desktop.

    We don't have other symptoms or errors.

    André

  • Hello André,

    [restart in safe mode]
    I see. As you say it only fails on some endpoints - usual question: Do they have something in common apart from the issue? Preview (10.6.4) doesn't have any terrific new features except enhanced tamper protection - haven't heard that it disables (or is supposed to disable) networking though. SCF isn't installed, I assume, as otherwise you'd have mentioned it. The only other component that has something to do with networking is Device Control ...

    We start the Desktop Clients (Wake On Lan) in the night for patches
    Just to make sure I understand the sequence of events: The endpoints are already running Preview for some time before the maintenance WOL or they are moved to the Preview group while they are turned off?

    Christian

Reply
  • Hello André,

    [restart in safe mode]
    I see. As you say it only fails on some endpoints - usual question: Do they have something in common apart from the issue? Preview (10.6.4) doesn't have any terrific new features except enhanced tamper protection - haven't heard that it disables (or is supposed to disable) networking though. SCF isn't installed, I assume, as otherwise you'd have mentioned it. The only other component that has something to do with networking is Device Control ...

    We start the Desktop Clients (Wake On Lan) in the night for patches
    Just to make sure I understand the sequence of events: The endpoints are already running Preview for some time before the maintenance WOL or they are moved to the Preview group while they are turned off?

    Christian

Children
  • Hello Christian

    No, SCF isn't installed.

    The Clients are regular Clients like other Clients. We put some of them in the Sophos Preview Group, because in January 2017 this preview Version will be the new Recommended Version. The Clients are allready installed, with the new Sophos Preview (10.6.4) and ditn't have any Problems for days or weeks. The Policies are the same on Preview like on Recommended.

    The Wake On LAN we do for all Desktop Clients in the company and we didn't have any troubles with other Clients in the regular Sophos Group. If it would be a Problem because of Microsoft patches, they would be more Errors on the other Clients in the Company, too.

    I don't understand what happens with this Preview Clients but it looks like, Sophos Preview and maybe some hardware or driver is the problem.

    André

  • Hello Christian

    Device Control is active, but only watching not disable.

    André

  • Hello André,

    Preview is (at least IMO) not unsupported - while it's naturally not supported for production isn't it one of its purposes to detect issues?

    I'd probably eventually contact Support if the problem can be reproduced. Thinking about it - there's a number of questions though (excuse me for thinking out loud):

    • after the boot following the maintenance the endpoints' network was down
    • adapter disabled and couldn't be enabled?
    • adapter enabled but no packet flow or traffic stopped at some point? 
    • resetting the adapter didn't help?
    • if Sophos services not started at boot network was available without further action?
    • Has it been tried to restore network service by stopping (or setting to Normal Start)  the Sophos services in normal mode and resetting the adapter? Or was enhanced Tamper Protection enabled?
    • whatever has been done - nothing out of the normal in the Sophos or Windows Event logs? What did Windows say about the network connection? 

    Not much help, probably no help at all ...

    Christian

  • Hello Christian

    We can reproduce it and we contacted support just now.

    I was wrong with the network interface. The computer is hanging when starting. It doesn't matter with or without network.

    Starting in Safe Mode, Sophos Antivirus Service from autostart to manual and the computer starts without problems. Set Sophos Antivirus Service to autostart, Computer hangs again on starting.

    SAV Log: "20161220 094945 Keine Verbindung zum On-Access-Treiber (0x80070002) möglich."

    (Das nächste Mal schreibe ich von Anfang an in Deutsch. Wenn alle Konsolen in Deutsch sind ist dies viel einfacher.)

    Servus, André

  • Hallo André,

    Wenn alle Konsolen in Deutsch sind ist dies viel einfacher
    iss, tolle Idee [:P], dann kann ich mühsam herausfinden worum es geht [;)]. Nein ernsthaft, kein Problem - ich verwende allerdings ausschließlich die englischen UIs und die "Originaldokumentation". Abgesehen davon, dass ich nie EDV-Deutsch (da gibt's ja sogar eine Norm, zumindest gab's eine DIN-Normj gelernt habe, sind einige der Übersetzungen nicht ganz glücklich.

    Christian 

  • Hello Christian

    After starting the Sophos ticket on 21 December, we are in busy contact with 3rd Level Support and development since this year. A lot of testing, SDU Logs, Memory dumps and clone of the machines are allreay transfered to sophos.

    The machines are hanging on start if HIPS and Data Conrol (only logging) is enabled.

    No Problem if HIPS is disabled or if Data Control is disabled.

    No Problem if HIPS is enabled with the a folder exclusion for C:\windows\rescache\ and data control enabled.

    With a Special HIPSRules**.bld it works to, but this .bld we received only for testing.

    It looks like Sophos is waiting with rollout of SAV 10.6.4 Engine 3.67.3 because of this issue.

    Best Regards,
    André

  • Sophos deployed a new HIPs on 18. January. It will be picked up by AutoUpdate on Preview and Recommended Version.

    HIPSRules on Windows Client within "C:\Program Files (x86)\Sophos\Sophos Anti-Virus" matchup as HIPSRules-10-3-195-1.bdl.

    The issue is fixed and it look likes it is a great help for all custommer affected within the new Version.

    Sophos support did a great job (it was also a lot of work for us).

    André