KB4503273 and problems with Server 2008

Has anyone had any issues with Junes windows update particularly KB4503273 on a server 2008 box? (not R2)

As soon we we install it and restart the box is then stuck on applying computer settings. The only way to get around this is following similar instruction for the April's Windows update issue and boot into safe mode, disable Sophos Anti-Virus service & Sophos AutoUpdate service, boot into normal mode and remove update.

As soon as those two services are disabled then the box is fine again. I cant see anyone else out there having this issue but i thought i would ask

 

EDIT: I have removed Junes, Mays and even Aprils update but still the box hangs on applying computer settings when the SAV service is enabled. So looks like its a bigger issue than just Windows updates being applied to this machine. 

 

  • Hi Dan,

    Please can you advise the following:

    Is this a SEC or Central managed?

    Please can you advise the current running version of Sophos Anti-Virus?

    How many servers is this impacting?

    Regards,

    Stephen

  • We are having the same issue on one Server 2008 (non R2) box. Stuck at "Applying computer settings" after installing June updates.

  • In reply to StephenMcKay:

    Hi 

    Its SEC managed and its running version 10.8.2.363 of Sophos Anti-Virus

  • In reply to Dan Fleming:

    Dan Fleming

    Its SEC managed and its running version 10.8.2.363 of Sophos Anti-Virus

     
    Same here.
  • In reply to Holger:

    Thank you both. We are investigating this and i will update the thread once we have more information.

    Stephen

  • In reply to StephenMcKay:

    We are also seeing this on our Central managed Server 2008 (non R2) servers running 10.7.2.128

  • In reply to codyhastings:

    I have replicated this with Server 2008 in my Central account; i've got full crash dumps with our Dev team and will provide an update once they have analysed them. 

    Regards,

    Stephen

  • In reply to StephenMcKay:

    Update: This issue appears to be caused due to Sophos scanning mlang.dll during boot - so far we have only seen this issue on Windows Server 2008

    For machines that do not have the problem, you can add a temporary real-time global exclusion for mlang; c:\windows\system32\mlang.dll - this will still be scanned with a scheduled scan.

    For machines that are already exhibiting the issue, you will need to add a temporary process exclusion in the registry, either in Safe Mode or with the Sophos AV services stopped.

    HEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SAVOnAccess

    Create a string value called:
    ExcludedProcess0  

    The value needs to be csrss.exe

    Once this process exclusion is in, you can reboot and enable the Sophos services, this will allow machines to receive the mlang.dll exclusion. We recommend that you remove the process exclusion once you have confirmed that the file exclusion has been received.

    To check the mlang.dll exclusion view machine.xml in %programdata%\Sophos\Sophos Anti-Virus\Config and search for mlang.dll

    Please advise if this resolves your issue.

    We plan to address this in a future update and will update this thread when you can remove the temporary file exclusion from your policies. 

    Regards,

    Stephen

  • In reply to StephenMcKay:

    Hi Stephen

    The 2008 server we have is up and running again, but that was only because we followed similar instructions to the April Windows Update issue (reboot in safe mode, disable 2 Sophos services, boot into normal mode, then remove update, then enable disabled Sophos services). 

    So in this case would you say all we need to do is exclude mlang.dll from being scanned, apply the removed update and then reboot?


    Thanks

  • In reply to Dan Fleming:

    Hi Dan,

    Yes, once mlang.dll is excluded, and you can see it in the machine.xml then you can update and shouldnt see the issue. Note: I didnt test the steps you describe, but the end result is to have mlang.dll excluded from OnAccess scanning.

    Regards,

    Stephen

  • In reply to StephenMcKay:

    Hi Stephen

    That looks like it has fixed the issue, i have excluded mlang.dll as requested then applied June and July's Windows updates and rebooted without any issues

    Thanks for getting this sorted

  • In reply to StephenMcKay:

    I can confirm that this workaround solved the problem.

    Thank you.