Thread Info
  • Locked Locked
  • Replies 42 replies
  • Subscribers 27 subscribers
  • Views 34785 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[Sophos Notification] Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update

Gowtham Mani

Hi Everyone,

After installing the following Microsoft Windows updates Sophos has received reports of computers failing to boot:

The issue is currently being investigated. For more updates and workaround, please follow the below KBA.

Following the Microsoft Windows 09th April update computers fail/hang on boot



This thread was automatically locked due to age.

  • We have skipped the steps to disable Endpoint/AV/tamper.

    Manually un-install by sorting KBs by date, or use commands:

    wusa /uninstall /kb:4493435
    wusa /uninstall /kb:4493448
    wusa /uninstall /kb:4493472

  • Hi Everyone, 

    [UPDATE]: Microsoft has blocked the affected updates from being applied to machines where the Sophos Endpoint is installed.
    Further information available in https://community.sophos.com/kb/en-us/133945
    Thanks,
    Yashraj Singha
    Manager | Global Community Support
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • in reply to Yashraj S

    It appears that some of the Windows components updated as part of these new patches require a Sophos token update...

    I'm guessing these issues will be resolved when Sophos provides an update?

    KB4493472 -- Monthly Rollup

    • Provides protections against Spectre Variant 2 (CVE-2017-5715) and Meltdown (CVE-2017-5754) for VIA-based computers.
    • Fixed an issue that caused the error "0x3B_c0000005_win32k!vSetPointer".
    • Fixed the netdom.exe error "The command failed to complete successfully" appears.
    • Fixed the Custom URI Schemes issue.
    • Fixed the WININET.DLL issue.
    • Security updates

    KB4493448 -- Security only update

    • Same as monthly rollup except for error "0x3B_c0000005_win32k!vSetPointer" and Custom URI Schemes.
  • in reply to Richie Knight

    So this was happening to us with a windows 2012r2 box. 

     

    so I booted in to safe mode disabled SAV and auto updates. Booted in to windows to remove the KB and I don't have those KB installed. 

    The last update is KB4489881 so is the March security update also having a problem or am I just the lucky one. 

     

     

  • in reply to Boz

    that update installed on one of our machines today, and it was behaving itself, so maybe you were just lucky. check your event log to see if you have some sophos errors 8x just after booting

  • Hi Community,

    [UPDATE] We have released an update for our Enterprise Console users that will automatically add Windows exclusions to all Anti-virus and HIPS policies in your Enterprise Console.

    Please read the article for full details: https://community.sophos.com/kb/en-us/133945 

    Best,

    Karlos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
  • in reply to Karlos

    Hi Karlos,

    What's the resolution for reinstalling Sophos EndPoint either with the April updates, or on a system that had a System Restore done but the problem still exhibits itself? Because the exclusion through policy kicks in way too late and the installation hangs and doesn't complete successfully.

    Having to reinstall the system from scratch to get a working Sophos EndPoint that updates correctly isn't my idea of fun.

  • in reply to Karlos

    Hi Karlos,

    SEC 5.5.1 installed and confirmed updating is OK but I'm not seeing these Windows exclusions appearing in any of my AV/HIPS policies. I've tried asking Rob in his comments on the Spiceworks thread about this issue but he's not hearing me.

    Can you please advise?

    Cheers,

    David.

  • in reply to deejinoz

    Hello David,

    when correctly done it looks like this:

    The changes should have been performed on the 12th by a special run of the Policy Evaluation Tool (PET). PET writes its output and logs to %ProgramData%\Sophos\Policy Evaluation Tool\Logs\. I've noticed though that it processed only 22 of 34 AV policies. The Default policy has been ignored - that might be expected. But why the rest. At first I could find a pattern. Decided to poke around in the database and it was almost immediately obvious: PET processed only those policies where the GUID in the CorrelationID column is NOT enclosed in curly brackets {}.
    I neither know why some of the GUIDs have brackets nor why PET skips those.

    [Edit]
    On second thoughts: If indeed the Default policy is unconditionally skipped customers using mainly Default as AV policy might be more severely affected.
    [/Edit]

    [Edit 24 May 2019]
    Turned out that I jumped to conclusions. PET disregards (and consequently doesn't amend) policies that aren't assigned to any computer (and in my case it seemed to correlate with the CorrelationID). The Policy Evaluation Tool article has been updated with this information. This only has an effect when a policy that was unassigned when PET ran is later assigned to. Can't be ruled out as cause for missing exclusions on the endpoints but very unlikely.
    [/Edit] 

    Christian

  • in reply to QC

    Hi Christian,

    Thanks for your response. Points/questions on this:

    1. I thought PET was only for reporting on your AV/HIPS compliance, allowing one to then make changes, manually, according to the output of the reports.

    2. The article clearly states that "For Enterprise Console customers we are performing an update that will automatically add the following Windows exclusions to all  Anti-virus and HIPS  policies in your Enterprise Console". There is no mention of anything to do with PET.

    3. Why are Sophos being so reluctant to clarify or post adequately unambiguous information about this "automatic" update of SEC, that doesn't appear to be happening?

    I guess I'm going to have to open a tech support case with them, to get some sensible answers.

    Cheers,

    David.

Unfiltered HTML