SAV service hangs after installing KB4493472

Hello,

Last night one of my Windows 2008R2 servers hung after installing Microsoft patch KB4493472. After initial examination I discovered that SAV service was logging lots of error messages in event log. Event IDs : 7022 (service hang), 80, 81, 83, 85, 82, 566, 608, 592.

The server became unresponsive, no rdp, no file share access, Ctrl Alt Delete not working.

I rebooted the server in to safe mode and disabled the Sophos services. After this, I was able to reboot normally. Then I uninstalled Sophos, rebooted and tried to install again but this time the installation didn't complete and the server hang again. I rebooted again in safe mode, disabled services, rebooted and uninstalled sophos again. After checking the Windows logs I realised that the server had installed update KB4493472 last night. I uninstalled the patch, rebooted and installed sophos again. This time there was no problem.

Currently we are trying to unauthorise KB4493472 on our update system.

Is there any known issues with KB4493472 on Windows Server 2008R2?

Thank You.

  • In reply to jak:

    Do you have any positive feedback excluding sophos directories ?

  • In reply to jak:

    Hmm, didn't know it stored the exclusions there, but yeah it's there. And yeah it has the final \. It won't let you add it without it.

  • In reply to MichaelOwens:

    And what happened after putting exclusions for you ? it's only fixing reboot issue ?

  • In reply to Fx0d:

    I mentioned a few posts ago it had no effect.

  • In reply to MichaelOwens:

    Hello all,

    an update that will automatically add the following Windows exclusions
    I wasn't aware that such a feature exists, apparently (For Enterprise Console 5.4.1, the modified policy will not automatically be sent) it has gradually been implemented.

    Anyway, they haven't been added to all AV policies - while this is expected for policies that have exclusions in place matching those listed the exclusions are missing from some of the policies. Couldn't find a pattern though.

    Christian

  • In reply to QC:

    Adding sophos dirs exclusions fixes nothing so ... what's next ???

  • In reply to Fx0d:

    Hello Fx0d (and other still having problems),

    Adding sophos dirs
    is yours a Central or SEC/SESC installation? Anyway, for both the exclusions should have been added automatically.

    fixes nothing
    what are the symptoms? Do I understand correctly that your main problem is booting up? Boot loop or seemingly not finishing boot-up so that login is not possible?
    Or are they at least running and reporting to the console?

    Christian

     

     

  • I still haven't seen these automatic exclusions push to a machine yet.

     

    Question though: Are we still putting both exclusions even if only one of those folders exist on a machine? Or just the one that exists?

  • In reply to MichaelOwens:

    Hello MichaelOwens,

    haven't seen
    which management - Central or SEC? And if the latter - which version? You've checked on the endpoints that the exclusions aren't there?

    both exclusions?
    one is for 32bit and one for 64bit. Exclusions are just strings that the filter driver compares with the path of the file when it intercepts a file access. If, according to certain rules, there's a match the file is not passed to the service for scanning. It doesn't matter if an exclusion specifies a path that does not exist. So normally if you have a 32bit application you want to exclude and have both 32bit and 64bit machines you specify both %ProgramFiles% and %ProgramFiles(x86)%

    Christian

  • In reply to QC:

    Our updates have not occurred as of yet, they will occur on the 25th of April. Is this expected to be resolved by then or should I stop these updates still?

     

    PacketLoss

  • In reply to PacketLoss:

    Hello PacketLoss,

    [your updates] will occur on the 25th of April
    which updates are you referring to? The Microsoft patches?

    BTW: The Microsoft articles linked from 133945 have been updated and list some other vendors besides Sophos.

    Christian

  • When is this expected to be fixed? 

    Are we waiting on Sophos or Microsoft?

    Thanks

  • In reply to John Bailey:

    John Bailey

    When is this expected to be fixed? 

    Are we waiting on Sophos or Microsoft?

    Thanks

    I am wondering the same thing. 
  • In reply to PacketLoss:

    Dear god, do NOT install any of the the 4/9 kb449xxxx updates! You're very lucky to have this option.

  • In reply to Fx0d:

    Fx0d

    Anyone know if this fix only apply for the reboot problem or if it's 100% Ok compatible with new windows updates ? 

    Can i reinstall sophos without removing windows updates if i have excluded sophos directories ?

     

     

    I've had a mostly successful experience with the exclusions working for systems that have the April update installed, but still have some systems that still don't work even those that were reverted using System Restore so these will need to be re-installed from scratch (thanks MS + Sophos).

    It's not possible to re-install Sophos without removing the April updates as the exclusion happens way too late during the installation phase. I have far too many systems that won't properly update Sophos, so the only recourse is to uninstall the April updates, uninstall Sophos and re-install Sophos or re-install the system.