[Sophos Notification] Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update

Hi Everyone,

After installing the following Microsoft Windows updates Sophos has received reports of computers failing to boot:

The issue is currently being investigated. For more updates and workaround, please follow the below KBA.

Following the Microsoft Windows 09th April update computers fail/hang on boot

  • In reply to Lance Lund:

    10.8.3.441 sophos installed on freshly imaged test machine, restarted, manually installed 17763.475 windows 10 update. restarted. locked at windows login screen

     

    This isn't funny anymore sophos.

  • Sophos Central customer here.

    I'm not seeing the update on any of my servers yet, we have a range of machines across 2008 R2 - 2012 R2 and 2016 and nothing shows higher than 10.8.3. xxx (according to the article I should be on 10.8.4.227 to resolve this problem).

    Client endpoints do appear to have the correct update 10.8.3.441.

    Is anyone else seeing this or have I got a setting wrong? I'm super keen to get my servers patched up for obvious reasons but can't risk deploying May's updates when they arrive tomorrow/Wednesday if I haven't got the right update yet. Thanks!

  • In reply to Lucy Scott:

    Hi Lucy,

    The rollout for Central Server Protection has been completed for the majority of customers, but we do have the final batch to complete tomorrow. Please check tomorrow afternoon, you should then see that your servers are running 10.8.4.227

    See https://downloads.sophos.com/readmes/sesc_centralserverav_rneng.html

    Regards,

    Stephen

  • In reply to StephenMcKay:

    Thanks so much for the quick reply, I was starting to panic a bit about being unpatched for another month. If I miss my testing window I can't deploy to higher priority servers within the month so it's a real problem. thanks again I look forward to seeing the update tomorrow.

  • In reply to Lucy Scott:

    Hi Lucy,

    We have now completed the release; you should see that your Servers update to 10.8.4.227 soon.

    Note: If you have configured Controlled Updates you will not receive the fix until your pause period expires.
    Note: If you have configured an Updating Policy you will not receive the fix until your scheduled update time takes place. 

    Regards,

    Stephen

  • In reply to StephenMcKay:

    We've got it, what a relief. Thanks a lot!

  • In reply to StephenMcKay:

    we are still stuck on 10.8.3.441

     

    sophos installer downloaded and installed today

     

  • In reply to Lance Lund:

    Hi Lance,

    For endpoint that is the latest version. See https://downloads.sophos.com/readmes/sesc_endpointadvanced_rneng.html and https://community.sophos.com/kb/en-us/133945 confirming that the fix for Central Endpoint is in 10.8.3.441

    Regards,

    Stephen

  • We have noticed that since the new update has been rolled out, c:\ProgramData\Sophos\Autoupdate\data\status\AUAdapter.xml no longer exists. This is a problem as we monitor the contents of this file with our client monitoring systems (Solarwinds) to ensure that nothing untoward is going on with our customers AV and everything is up to date. Can you please advise how best to now do this since the file has been removed / retired?

    Example;

    Customer: *************
    Device: *************
    Device IP *************
    Service: Log Analysis (Batch) - c:\ProgramData\Sophos\Autoupdate\data\status\AUAdapter.xml
    State Transition: From Normal To Warning
    Time Of State Transition: 2019-05-15 09:11:56
    Notification: Priority 2 (0 mins – 24/7 Checks)

    Alert Trigger: difference in minutes between the last parsed dateline of the file and the local time of the test

    Service Details:
    File Size: 684.00 B
    Regular Expression 1: False
    Regular Expression 2: False
    Time Offset between Local Device and GMT: 1
    Difference in minutes between the last parsed dateline of the file and the local time of the test: 1.00 days
    Number of Lines in the File: 22.00 Lines
    File creation date: 2018-04-22 12:13:36
    File modification date: 2019-05-14 09:06:58
    Last Parse-able Date in Log (GMT): 2018-04-22 12:13:36
    The line count matched regex 1: 0.00 Lines
    The line count matched regex 2: 0.00 Lines

  • In reply to Richie Knight:

    Hi Richie,

    Are you sure that the file no longer exists? Its still there on my machine. However, we have stopped writing to it, so this is likely the cause of the issue you see. Are you able to use the registry for this purpose? HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\AutoUpdate\UpdateStatus

    Regards,

    Stephen

  • In reply to StephenMcKay:

    StephenMcKay

    Hi Richie,

    Are you sure that the file no longer exists? Its still there on my machine. However, we have stopped writing to it, so this is likely the cause of the issue you see. Are you able to use the registry for this purpose? HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\AutoUpdate\UpdateStatus

    Regards,

    Stephen

     

    Thanks Stephen. We shall take a look at the registry item you have mentioned and see how we can change our monitoring to accommodate.

  • In reply to Gowtham Mani:

    [Update]: Starting today, we will be removing the Sophos exclusions for Enterprise Console and will continue this process for several weeks.For more information please follow this link:  https://community.sophos.com/kb/en-us/133945