as the title states, we have a computer that BSODs (Windows 10 Pro x64); all scans came up clean otherwise. We had to do a system restore to before the update, and for now I have Sophos services disabled so it doesnt get reapplied.
Anyone else having this issue?
No hardware changes. Microsoft Surface Pro 4.
BSOD is APC_Index_Mismatch
whatever the latest version from Sophos Cloud Endpoint is.
Just got a reply from Sophos Support:
Hello Jamie,
Thank you for contacting Sophos tech support.
Please note the issue you reported is a known issue and our development team is currently working on a solution.
Please reboot the device after getting the BSOD. If that does not help, we will have to wait till development comes up with a fix.
Unfortunately we do not have an ETA from Dev.
Please let me know if you have any additional questions. Thank you
Soooo basically I'm SOL because someone didnt test this out? I have about 300 machines out there, what if this starts happening to all of them? I hope someone high up in management sees this....
whatever the latest version from Sophos Cloud Endpoint is.
Just got a reply from Sophos Support:
Hello Jamie,
Thank you for contacting Sophos tech support.
Please note the issue you reported is a known issue and our development team is currently working on a solution.
Please reboot the device after getting the BSOD. If that does not help, we will have to wait till development comes up with a fix.
Unfortunately we do not have an ETA from Dev.
Please let me know if you have any additional questions. Thank you
Soooo basically I'm SOL because someone didnt test this out? I have about 300 machines out there, what if this starts happening to all of them? I hope someone high up in management sees this....
So I assume there is no notice from Sophos about this? This should be a advisory notice or something on the topic.
Windows 10 Insider Build 18970.rs_Prerelease 1190824-1711;Hitman Pro Alert Ver. 3.7.10 build 787 ;Hitman Pro Ver 3.8.15 Build 306 (64bit). I installed the Microsoft Defender Application Guard and rebooted. After the desktop came back up the system went to a BSOD with the message System Service Exception, HMPALERT.SYS. The system rebooted and the same message appeared. I rebooted into safe mode and uninstalled the MS Application Guard program and rebooted to normal mode. The O/S came up and was stable with a few minor changes in the settings. I then ran a scan with Hitman Pro. Got some notifications, but scan finished. Message was IRP_MJ_SCSI Kernel Mode Hook on storahci.sys detected and bypassed. The device stack on the hard disk is referencing a hidden driver that could affect detection of malicious drivers.
I am still researching this issue. Will disable HMPAlert.sys, reinstall Windows defender Application Guard and determine if Hitman Pro alert will work.
Ive never been able to use any sort of VBS or the Gaurd features in Windows 10 with Sophos Intercept X installed either. It just doesn't like App guard, device guard, credential guard or Virtualisation based security. None of them seem to get along with Intercept-X and im sure ive missed a few of these Win 10 features that ive seen cause BSOD's, but these are the ones i can remember off the top of my head.
Ive been able to reproduce the BSOD loop by running Microsofts DG readiness tool, every time ive tried myself this PS script has immediately caused a BSOD or has just after login. Then only running the same PS script again I would resolve the BSOD loop. Same applies with setting these via GPO but they take longer to resolve once the BSOD loop starts.
Its so frustrating as some of these features ive been longing to use and i cant without running them inside of a VM, im sure Intercept X itself actually does of same functions of anyway so its not all lost. Ive tried to ask Sophos Tech support agents about this on several occasions now but ive never had a straight answer. To be fair ive always asked in passing and not in a dedicated ticket of there own, also ive always only asked about one of such features at a time. So I cant really knock Sophos regarding this issue and should really open a dedicated ticket to resolve this once and for all ive just not had the time yet. I had only just noticed this thread as i was browsing through the forum and it reminded me of all my frustrations and the many many times id had to manually enter Bitlocker passwords (this is the most time consuming to recover from with just a bitlocker password)and manually undo GPO's and undo Intune policies.
If you have Intercept X installed and can spare some time to help with an experiment, download and extract the PS1 script from here and run it with the -enable switch. If it hasn't immediately BSOD'd try rebooting then see if you get one just after login. Id love to hear the results, just be warned there is a very strong chance it will cause a BSOD loop and the only way to resolve it would be to start in safe mode and run the same ps1 file but with the -disable switch so dont try this at home kids if you dont have the time and patience to do so.
https://www.microsoft.com/en-us/download/details.aspx?id=53337
Anyway rant over, if anything at least ive now been reminded i need to create a ticket to Sophos.
JK
