Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 17 replies
  • Subscribers 6 subscribers
  • Views 30874 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos causing High CPU usage and unexpected server restarts

Jason Ryan1

Hey guys,

 

I was experiencing some odd issues with Sophos on our file server since the weekend, on Monday it was reaching high CPU usage for a second then restarting every 30 minutes, this appears to be from a windows "Bugcheck":

 

Error 

Description:
The computer has rebooted from a bugcheck. The bugcheck was: 0x0000003b (0x00000000c0000005, 0xfffff80145467864, 0xffffd00021ecc980, 0x0000000000000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 090318-16453-01.

After analysing the memory dump it was apparent that Clean.exe was the cause of these issues (Copied out three seperate memory dumps from three seperate reboots, all were from Clean.exe) so I have uninstalled Sophos for the time being and the issues have ceased. I believe the version was 2.0.2.

 

Is there a hotfix for this issue? Is this a bug that's already known? Is there an update that will resolve these resource and bugcheck issues?

 

These issues occured on a Windows Server 2012 R2 VM running off VMware ESXi, 6.5.0, 7967591 

 

Best Regards,

Jason



This thread was automatically locked due to age.
  • 0 in reply to Jason Ryan1

    Hi Jason,

    We have a couple of tickets created that report similar issues; the root cause of these is that there is probably a third party driver that takes issues when we call the Windows API GetFileAttributes on its driver.

    Do you use Varonis on this server? 

    Regards,

    Stephen

  • 0 in reply to StephenMcKay

    Clean.exe (user mode - can't cause a bugcheck of this nature on its own) has called the standard Windows function NtQueryAttributesFile.  It would be hard if that could cause an issue I suspect sidfile.sys, which is later in the stack has taken exception to something.  I would check with Varonis.

    Regards,
    Jak


  • 0 in reply to StephenMcKay

    Hey Stephen,

     

    We do, yeah. Is this only an issue with the current release of Sophos? We never had these issues before.

     

    Best Regards,

    Jason

  • 0 in reply to jak

    Hey Stephen,

     

    Is there any way to exclude Varonis from Sophos, or the other way around to prevent this from happening?

     

  • 0 in reply to Jason Ryan1

    A note on the ticket i am reviewing says 

    'We have received confirmation that Varonis have released a patch that reportedly fixes the issue.' 

    I am trying to ascertain what the patch is, but you might be able to get info directly from them.

    Stephen 

  • 0 in reply to StephenMcKay

    I've had a ticket open with Varonis for a few days with an identical issue and just added this post to the ticket. If you get any details on the patch they're referencing or exclusions that need to be added in Sophos please share. We have 3 file servers with Sophos and Varonis in use, but oddly this is only happening on one of them. Lucky for us it's a pretty seldom used file server, so no users have noticed the constant reboots yet, but I'd like to get a fix in place before it starts happening on the other two, because our company fully depends on those being up 24/7.

  • +1 in reply to RyanDonohue

    This is what another customer with the issue received from Varonis:

    A Blue Screen of Death (BSOD) occurs when the Sophos antivirus is installed with the Varonis Windows Agent.

    Affected versions: 6.2 and 6.3 GA versions
    Platforms: Windows Auditing Agent
    Severity: Critical

    Solution:
    The problem is resolved by installing patch #718214.

    Availability:
    Patch #718214 is available. Contact Varonis Support to obtain the patch.

Unfiltered HTML