BSOD After latest Hitman Update

as the title states, we have a computer that BSODs (Windows 10 Pro x64); all scans came up clean otherwise. We had to do a system restore to before the update, and for now I have Sophos services disabled so it doesnt get reapplied. 

Anyone else having this issue?

No hardware changes. Microsoft Surface Pro 4.

 

BSOD is APC_Index_Mismatch

  • Hi,

    I assume the computer is fine if you just disable the hmpalert.sys driver from starting?

    In Regedit, navigate to
    hklm\system\currentcontrolset\service\hmpalert

    set start to 4 (i.e disabled) and restart the computer

    After the restart, start all other Sophos services.  Is it fine like this?

    Regards,

    Jak

    Could be the same issue as this:
    https://community.sophos.com/products/sophos-home/f/sophos-home-for-windows/92210/sophos-home-premium-beta-blue-screens-during-installation

  • Can you say what version of Hitman you are running ?

  • In reply to jak:

    No, its not fine. its in a constant reboot loop and nothing short of booting to recovery drive to restore back to a earlier system date works. 

     

    no possible way to get into the system to even try to boot into safe mode. 

  • In reply to Holger:

    whatever the latest version from Sophos Cloud Endpoint is. 

    Just got a reply from Sophos Support: 

    Hello Jamie,

    Thank you for contacting Sophos tech support. 

    Please note the issue you reported is a known issue and our development team is currently working on a solution.
    Please reboot the device after getting the BSOD. If that does not help, we will have to wait till development comes up with a fix.

    Unfortunately we do not have an ETA from Dev. 

    Please let me know if you have any additional questions. Thank you

    Soooo basically I'm SOL because someone didnt test this out? I have about 300 machines out there, what if this starts happening to all of them? I hope someone high up in management sees this....

  • In reply to JamiePassalacqua:

    So I assume there is no notice from Sophos about this? This should be a advisory notice or something on the topic. 

  • In reply to jak:

    Do you recommend setting up a GPO to stop this service for all my computers? I dont want this issue to become more widespread, but stopping the service could also impact us with ransomware so its a damn if you do, damn if you dont situation. 

     

    we already have 2 workstations that are showing signs of this. Both different computer manufacturers, but same OS (Win10 Pro, x64)

  • In reply to JamiePassalacqua:

    Windows 10 Insider Build 18970.rs_Prerelease 1190824-1711;Hitman Pro Alert Ver. 3.7.10 build 787 ;Hitman Pro Ver 3.8.15 Build 306 (64bit). I installed the Microsoft Defender Application Guard and rebooted. After the desktop came back up the system went to a BSOD with the message System Service Exception, HMPALERT.SYS. The system rebooted and the same message appeared. I rebooted into safe mode and uninstalled the MS Application Guard program and rebooted to normal mode. The O/S came up and was stable with a few minor changes in the settings. I then ran a scan with Hitman Pro. Got some notifications, but scan finished. Message was IRP_MJ_SCSI Kernel Mode Hook on storahci.sys detected and bypassed. The device stack on the hard disk  is referencing a hidden driver that could affect detection of malicious drivers.

    I am still researching this issue. Will disable HMPAlert.sys, reinstall Windows defender Application Guard and determine if Hitman Pro alert will work.

  • In reply to Joel Hedge:

    Ive never been able to use any sort of VBS or the Gaurd features in Windows 10 with Sophos Intercept X installed either.  It just doesn't like App guard, device guard, credential guard or Virtualisation based security.  None of them seem to get along with Intercept-X and im sure ive missed a few of these Win 10 features that ive seen cause BSOD's, but these are the ones i can remember off the top of my head.

    Ive been able to reproduce the BSOD loop by running Microsofts DG readiness tool, every time ive tried myself this PS script has immediately caused a BSOD or has just after login. Then only running the same PS script again I would resolve the BSOD loop.  Same applies with setting these via GPO but they take longer to resolve once the BSOD loop starts.

    Its so frustrating as some of these features ive been longing to use and i cant without running them inside of a VM, im sure Intercept X itself actually does of same functions of anyway so its not all lost.  Ive tried to ask Sophos Tech support agents about this on several occasions now but ive never had a straight answer.  To be fair ive always asked in passing and not in a dedicated ticket of there own, also ive always only asked about one of such features at a time.  So I cant really knock Sophos regarding this issue and should really open a dedicated ticket to resolve this once and for all ive just not had the time yet. I had only just noticed this thread as i was browsing through the forum and it reminded me of all my frustrations and the many many times id had to manually enter Bitlocker passwords (this is the most time consuming to recover from with just a bitlocker password)and manually undo GPO's and undo Intune policies.

    If you have Intercept X installed and can spare some time to help with an experiment, download and extract the PS1 script from here and run it with the -enable switch. If it hasn't immediately BSOD'd try rebooting then see if you get one just after login.  Id love to hear the results, just be warned there is a very strong chance it will cause a BSOD loop and the only way to resolve it would be to start in safe mode and run the same ps1 file but with the -disable switch so dont try this at home kids if you dont have the time and patience to do so.

    https://www.microsoft.com/en-us/download/details.aspx?id=53337

    Anyway rant over, if anything at least ive now been reminded i need to create a ticket to Sophos.