Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945

Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!

[Sophos Notification] Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update

Hi Everyone,

After installing the following Microsoft Windows updates Sophos has received reports of computers failing to boot:

The issue is currently being investigated. For more updates and workaround, please follow the below KBA.

Following the Microsoft Windows 09th April update computers fail/hang on boot

  • We have skipped the steps to disable Endpoint/AV/tamper.

    Manually un-install by sorting KBs by date, or use commands:

    wusa /uninstall /kb:4493435
    wusa /uninstall /kb:4493448
    wusa /uninstall /kb:4493472

  • Hi Everyone, 

    [UPDATE]: Microsoft has blocked the affected updates from being applied to machines where the Sophos Endpoint is installed.
    Further information available in https://community.sophos.com/kb/en-us/133945
  • In reply to Yashraj:

    It appears that some of the Windows components updated as part of these new patches require a Sophos token update...

    I'm guessing these issues will be resolved when Sophos provides an update?

    KB4493472 -- Monthly Rollup

    • Provides protections against Spectre Variant 2 (CVE-2017-5715) and Meltdown (CVE-2017-5754) for VIA-based computers.
    • Fixed an issue that caused the error "0x3B_c0000005_win32k!vSetPointer".
    • Fixed the netdom.exe error "The command failed to complete successfully" appears.
    • Fixed the Custom URI Schemes issue.
    • Fixed the WININET.DLL issue.
    • Security updates

    KB4493448 -- Security only update

    • Same as monthly rollup except for error "0x3B_c0000005_win32k!vSetPointer" and Custom URI Schemes.
  • In reply to Richie Knight:

    So this was happening to us with a windows 2012r2 box. 

     

    so I booted in to safe mode disabled SAV and auto updates. Booted in to windows to remove the KB and I don't have those KB installed. 

    The last update is KB4489881 so is the March security update also having a problem or am I just the lucky one. 

     

     

  • In reply to Boz:

    that update installed on one of our machines today, and it was behaving itself, so maybe you were just lucky. check your event log to see if you have some sophos errors 8x just after booting

  • Hi Community,

    [UPDATE] We have released an update for our Enterprise Console users that will automatically add Windows exclusions to all Anti-virus and HIPS policies in your Enterprise Console.

    Please read the article for full details: https://community.sophos.com/kb/en-us/133945 

    Best,

  • In reply to Karlos:

    Hi Karlos,

    What's the resolution for reinstalling Sophos EndPoint either with the April updates, or on a system that had a System Restore done but the problem still exhibits itself? Because the exclusion through policy kicks in way too late and the installation hangs and doesn't complete successfully.

    Having to reinstall the system from scratch to get a working Sophos EndPoint that updates correctly isn't my idea of fun.

  • In reply to Karlos:

    Hi Karlos,

    SEC 5.5.1 installed and confirmed updating is OK but I'm not seeing these Windows exclusions appearing in any of my AV/HIPS policies. I've tried asking Rob in his comments on the Spiceworks thread about this issue but he's not hearing me.

    Can you please advise?

    Cheers,

    David.

  • In reply to deejinoz:

    Hello David,

    when correctly done it looks like this:

    The changes should have been performed on the 12th by a special run of the Policy Evaluation Tool (PET). PET writes its output and logs to %ProgramData%\Sophos\Policy Evaluation Tool\Logs\. I've noticed though that it processed only 22 of 34 AV policies. The Default policy has been ignored - that might be expected. But why the rest. At first I could find a pattern. Decided to poke around in the database and it was almost immediately obvious: PET processed only those policies where the GUID in the CorrelationID column is NOT enclosed in curly brackets {}.
    I neither know why some of the GUIDs have brackets nor why PET skips those.

    [Edit]
    On second thoughts: If indeed the Default policy is unconditionally skipped customers using mainly Default as AV policy might be more severely affected.
    [/Edit]

    Christian

  • In reply to QC:

    Hi Christian,

    Thanks for your response. Points/questions on this:

    1. I thought PET was only for reporting on your AV/HIPS compliance, allowing one to then make changes, manually, according to the output of the reports.

    2. The article clearly states that "For Enterprise Console customers we are performing an update that will automatically add the following Windows exclusions to all  Anti-virus and HIPS  policies in your Enterprise Console". There is no mention of anything to do with PET.

    3. Why are Sophos being so reluctant to clarify or post adequately unambiguous information about this "automatic" update of SEC, that doesn't appear to be happening?

    I guess I'm going to have to open a tech support case with them, to get some sensible answers.

    Cheers,

    David.

  • In reply to deejinoz:

    Hello David,

    There is no mention of anything to do with PET
    correct, but apparently this is how it is/was/should have been done. There's no need to describe the mechanism in detail if you expect it to work. Seems it doesn't though.
    PET was only for reporting
    It isn't - please see the /remediate command line parameter.

    Christian

  • So when can we expect this to be resolved? Not updating isn't a solution.

     

    Hopefully this isn't like the last major windows 7 issue we ran into that took over a month for sophos to "resolve" https://community.sophos.com/kb/en-us/131685

  • In reply to Sammore:

    Hello Sammore,

    it looks - from the rather prompt reaction of Microsoft - like this is not an issue for which Sophos has to bear the undivided blame (or even the major part of it). Microsoft wouldn't block their patches if some other vendor has "self-inflicted" problems.

    Christian

  • In reply to QC:

    To be a little fairer to Microsoft, I feel that both Microsoft and Sophos should be working closer together when OS changes such as the new patches are implemented. From what I have seen so far, if you are not running Sophos, Avast or Bit Defender then you were unaffected by problems with the updates that were released.

    The files that were patched, more specifically WININIT.dll and PRINTUI.dll, appear to have a new file signature. Had Sophos been made aware of these changes (If they weren't, I am speculating here) then I am sure their Dev team could have rolled an update out to account for these changes and prevent the problems being experienced.

    There is actually nothing wrong with the updates released by Microsoft. It's just simply a case that in order for them to work without issue, 3rd party vendors need to be aware of the changes and have patches in place for their products prior to release.

  • In reply to QC:

    I'm not interested in who bares the blame, I'm interested in a solution that resolves the issue at hand and helps us avoid these issues in the future.

     

    Right now we're at the mercy of Sophos to release a fix, whose track record in fixing these issues is slow to say the least.