This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SAV service hangs after installing KB4493472

Hello,

Last night one of my Windows 2008R2 servers hung after installing Microsoft patch KB4493472. After initial examination I discovered that SAV service was logging lots of error messages in event log. Event IDs : 7022 (service hang), 80, 81, 83, 85, 82, 566, 608, 592.

The server became unresponsive, no rdp, no file share access, Ctrl Alt Delete not working.

I rebooted the server in to safe mode and disabled the Sophos services. After this, I was able to reboot normally. Then I uninstalled Sophos, rebooted and tried to install again but this time the installation didn't complete and the server hang again. I rebooted again in safe mode, disabled services, rebooted and uninstalled sophos again. After checking the Windows logs I realised that the server had installed update KB4493472 last night. I uninstalled the patch, rebooted and installed sophos again. This time there was no problem.

Currently we are trying to unauthorise KB4493472 on our update system.

Is there any known issues with KB4493472 on Windows Server 2008R2?

Thank You.



This thread was automatically locked due to age.
Parents
  • I still haven't seen these automatic exclusions push to a machine yet.

     

    Question though: Are we still putting both exclusions even if only one of those folders exist on a machine? Or just the one that exists?

  • Hello MichaelOwens,

    haven't seen
    which management - Central or SEC? And if the latter - which version? You've checked on the endpoints that the exclusions aren't there?

    both exclusions?
    one is for 32bit and one for 64bit. Exclusions are just strings that the filter driver compares with the path of the file when it intercepts a file access. If, according to certain rules, there's a match the file is not passed to the service for scanning. It doesn't matter if an exclusion specifies a path that does not exist. So normally if you have a 32bit application you want to exclude and have both 32bit and 64bit machines you specify both %ProgramFiles% and %ProgramFiles(x86)%

    Christian

Reply
  • Hello MichaelOwens,

    haven't seen
    which management - Central or SEC? And if the latter - which version? You've checked on the endpoints that the exclusions aren't there?

    both exclusions?
    one is for 32bit and one for 64bit. Exclusions are just strings that the filter driver compares with the path of the file when it intercepts a file access. If, according to certain rules, there's a match the file is not passed to the service for scanning. It doesn't matter if an exclusion specifies a path that does not exist. So normally if you have a 32bit application you want to exclude and have both 32bit and 64bit machines you specify both %ProgramFiles% and %ProgramFiles(x86)%

    Christian

Children