[Sophos Notification] Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update

10.8.3.441 sophos installed on freshly imaged test machine, restarted, manually installed 17763.475 windows 10 update. restarted. locked at windows login screen

This isn't funny anymore sophos.

Sophos Central customer here.

I'm not seeing the update on any of my servers yet, we have a range of machines across 2008 R2 - 2012 R2 and 2016 and nothing shows higher than 10.8.3. xxx (according to the article I should be on 10.8.4.227 to resolve this problem).

Client endpoints do appear to have the correct update 10.8.3.441.

Is anyone else seeing this or have I got a setting wrong? I'm super keen to get my servers patched up for obvious reasons but can't risk deploying May's updates when they arrive tomorrow/Wednesday if I haven't got the right update yet. Thanks!

Hi Lucy,

The rollout for Central Server Protection has been completed for the majority of customers, but we do have the final batch to complete tomorrow. Please check tomorrow afternoon, you should then see that your servers are running 10.8.4.227

See https://downloads.sophos.com/readmes/sesc_centralserverav_rneng.html

Regards,

Stephen

Thanks so much for the quick reply, I was starting to panic a bit about being unpatched for another month. If I miss my testing window I can't deploy to higher priority servers within the month so it's a real problem. thanks again I look forward to seeing the update tomorrow.

Hi Lucy,

We have now completed the release; you should see that your Servers update to 10.8.4.227 soon.

Note: If you have configured Controlled Updates you will not receive the fix until your pause period expires.
Note: If you have configured an Updating Policy you will not receive the fix until your scheduled update time takes place. 

Regards,

Stephen

We've got it, what a relief. Thanks a lot!

we are still stuck on 10.8.3.441

sophos installer downloaded and installed today

Hi Lance,

For endpoint that is the latest version. See https://downloads.sophos.com/readmes/sesc_endpointadvanced_rneng.html and https://community.sophos.com/kb/en-us/133945 confirming that the fix for Central Endpoint is in 10.8.3.441

Regards,

Stephen

We have noticed that since the new update has been rolled out, c:\ProgramData\Sophos\Autoupdate\data\status\AUAdapter.xml no longer exists. This is a problem as we monitor the contents of this file with our client monitoring systems (Solarwinds) to ensure that nothing untoward is going on with our customers AV and everything is up to date. Can you please advise how best to now do this since the file has been removed / retired?

Example;

Customer: *************
Device: *************
Device IP *************
Service: Log Analysis (Batch) - c:\ProgramData\Sophos\Autoupdate\data\status\AUAdapter.xml
State Transition: From Normal To Warning
Time Of State Transition: 2019-05-15 09:11:56
Notification: Priority 2 (0 mins – 24/7 Checks)

Alert Trigger: difference in minutes between the last parsed dateline of the file and the local time of the test

Service Details:
File Size: 684.00 B
Regular Expression 1: False
Regular Expression 2: False
Time Offset between Local Device and GMT: 1
Difference in minutes between the last parsed dateline of the file and the local time of the test: 1.00 days
Number of Lines in the File: 22.00 Lines
File creation date: 2018-04-22 12:13:36
File modification date: 2019-05-14 09:06:58
Last Parse-able Date in Log (GMT): 2018-04-22 12:13:36
The line count matched regex 1: 0.00 Lines
The line count matched regex 2: 0.00 Lines

Hi Richie,

Are you sure that the file no longer exists? Its still there on my machine. However, we have stopped writing to it, so this is likely the cause of the issue you see. Are you able to use the registry for this purpose? HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\AutoUpdate\UpdateStatus

Regards,

Stephen