Memory Leak in Server 2008R2/2012R2/2016

Hey Guys on Windows Server 2008/R2 Make sure you haven't updated to latest Windows patch:

KB4093108

KB4093118

One side affect of the latest security patch's is that it is causing large memory leaks as you describe.

We have not installed that patch.

Hey Matthew Gustke 

Have you already raised a support case for this issue for further investigation? If so, please share this case number with me for follow up.

Thanks!

Yes, I have created a support case.  They told me to reference this post I made :)

#8040399

Thanks for providing this, I apologize for obvious reasons. I'll follow up with the assigned engineer and your case to further expedite the process.

Best,

Are you able to attach your sed log?

C:\ProgramData\Sophos\Endpoint Defense\Logs\

Regards,
Jak

We appear to be having the same issue here with our DC's.

Our MSP are in the process of logging a ticket.

Are you able to post/attach/link your sed log file?

To update this thread for the information of our community:

This is a known issue WINEP-11590 and the fix is scheduled to be included in the next version release.

There is a current workaround available that can be performed by our support. If you are experiencing similar symptoms and think you are affected by this issue, please contact our support and reference this ID for further investigation and confirmation.

Best,

Hi FloSupport,

I have a client with a Windows Server 2016 RDS virtual machine running Central Server Advanced Protection. They've had a couple of instances now where they've had a pool memory leak that's eventually brought the box down after consuming all available memory.

Since the last occurrence, I've had Performance Monitor running tracking paged and non-paged pool usage. As of a few hours ago, the counters have gone from looking normal to a constant steady increase. I had a Windows Performance Toolkit trace running tracking pool allocations, so I've just stopped that and ran it through WPA to see if I could track down the source.

There's a big bunch of allocations related to the SophosED.sys driver that's got me wondering whether it's Sophos. I did some digging and found this post. Do my symptoms fit the bill for it being the issue you've mentioned?

Thanks,

Dan

Hi FloSupport,

I have a client with a Windows Server 2016 RDS virtual machine running Central Server Advanced Protection. They've had a couple of instances now where they've had a pool memory leak that's eventually brought the box down after consuming all available memory.

Since the last occurrence, I've had Performance Monitor running tracking paged and non-paged pool usage. As of a few hours ago, the counters have gone from looking normal to a constant steady increase. I had a Windows Performance Toolkit trace running tracking pool allocations, so I've just stopped that and ran it through WPA to see if I could track down the source.

There's a big bunch of allocations related to the SophosED.sys driver that's got me wondering whether it's Sophos. I did some digging and found this post. Do my symptoms fit the bill for it being the issue you've mentioned?

Thanks,

Dan

Hi mdi-db 

Thanks for reaching out and sharing your investigation details. I would advise to raise a support case referencing this ID (Please PM me with your support case number) and attaching your Process Monitor and SDU logs for investigation and potential confirmation.

Best,