Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 24 replies
  • Subscribers 1 subscriber
  • Views 21032 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Error Message: Rootkit scan cancelled due to a corrupt disk

sophos-icated

We are seeing the rootkit scan fail on multiple systems due to a "corrupt disk".  Specifically the error is:

Code: a01e0004

Description: Rootkit scan cancelled due to a corrupt disk

Have checked systems experiencing this error and there is no problem with the disk (scans are negative).  Any idea what corrupt disk this might refer to.  Also interesting is clicking on the link back to sophos knowledgebase comes up with nothing.  That is there is no entry for error code a01e0004.

We are running enterprise console 4.0.0.2362. 

System experiencing the error is running Windows Vista service pack 2.

Anyone have ideas on what might be causing this?

Thanks in advance.

:1514


This thread was automatically locked due to age.
  • 0

    adding in to the fray that I have a few machines continuing to get this error post 9.5 update.

    :8885
  • 0

    Endpoint 9.5 latest version.

    I also have the same issue. When sophos endpoint is scanning virus e.g. rootkit.win32.small.bjj and trojan-downloader.win32.agent.er (Kaspersky).It has the error as shown in attached file with error "rootkit scan has been cancelled due to corrupted disk". What happened to this computer is the bluescreen occured. 

    The last time before system crashed is 22/2/11 13.36.

    Outstanding alerts and errors Sophos Anti-Virus status Latest application control events Latest blocked websites History Sophos Anti-Virus status Sophos AutoUpdate status

    Date/timeCodeDescription 
    2/22/2011 1:36:28 PMa01e0004Rootkit scan has been cancelled due to a corrupt disk.  
    2/17/2011 12:49:54 PMa01e0004Rootkit scan has been cancelled due to a corrupt disk.  
    2/16/2011 1:17:53 PMa01e0004Rootkit scan has been cancelled due to a corrupt disk.  
    2/15/2011 1:27:25 PMa01e0004Rootkit scan has been cancelled due to a corrupt disk.  
    Date/timeUserComputerApplication nameApplication type 
    2/23/2011 1:03:22 PMNT AUTHORITY\SYSTEMSIWAPORNS_NBCompuTraceRemote management tool 
    2/23/2011 1:02:25 PMNT AUTHORITY\SYSTEMSIWAPORNS_NBBonjourSecurity / system tool 
    2/23/2011 11:36:02 AMNT AUTHORITY\SYSTEMSIWAPORNS_NBBonjourSecurity / system tool 
    2/23/2011 11:23:41 AMNT AUTHORITY\SYSTEMSIWAPORNS_NBBonjourSecurity / system tool 
    2/22/2011 2:06:50 PMSERVERMAIL\siwapornSIWAPORNS_NBAdobe Update ManagerSoftware updater 
    2/22/2011 8:50:15 AMSERVERMAIL\siwapornSIWAPORNS_NBCompuTraceRemote management tool 
    2/22/2011 8:30:30 AMNT AUTHORITY\SYSTEMSIWAPORNS_NBCompuTraceRemote management tool 
    2/22/2011 8:29:36 AMNT AUTHORITY\SYSTEMSIWAPORNS_NBBonjourSecurity / system tool 
    2/21/2011 6:09:00 PMSERVERMAIL\siwapornSIWAPORNS_NBAdobe Update ManagerSoftware updater 
    2/21/2011 9:59:32 AMSERVERMAIL\siwapornSIWAPORNS_NBCompuTraceRemote management tool 
    Date/timeUserThreat nameBlocked siteReferring siteReference ID 
    2/15/2011 11:41:04 AMSERVERMAIL\siwapornMal/HTMLGen-A www.lomahotel.com/images/loma logo2.gifwww.ravindraresort.com3748917 
    2/15/2011 10:32:06 AMSERVERMAIL\siwapornMal/ObfJS-A www.doca-rta.com/facebook/facebook_for_beginner.pdf16616298 
    12/8/2010 10:05:43 AMSERVERMAIL\siwapornMal/ObfJS-A www.baanrai-ozone.com/images/home/h1_19.gifwww.baanrai-ozone.com12807529 
    12/8/2010 10:05:29 AMSERVERMAIL\siwapornMal/ObfJS-A www.baanrai-ozone.com/images/home/h1_21-over.gifwww.baanrai-ozone.com12807529 
    12/8/2010 10:05:26 AMSERVERMAIL\siwapornMal/ObfJS-A www.baanrai-ozone.com/images/home/h1_04-over.gifwww.baanrai-ozone.com12807529 
    12/8/2010 10:05:24 AMSERVERMAIL\siwapornMal/ObfJS-A www.baanrai-ozone.com/images/home/h1_28.gifwww.baanrai-ozone.com12807529 
    12/8/2010 10:05:22 AMSERVERMAIL\siwapornMal/ObfJS-A www.baanrai-ozone.com/images/home/a1.gifwww.baanrai-ozone.com12807529 
    12/8/2010 10:05:20 AMSERVERMAIL\siwapornMal/ObfJS-A www.baanrai-ozone.com/inc/showpic.phpwww.baanrai-ozone.com12807529 
    12/8/2010 10:05:18 AMSERVERMAIL\siwapornMal/ObfJS-A www.baanrai-ozone.com/images/home/h1_20.gifwww.baanrai-ozone.com12807529 
    12/8/2010 10:05:16 AMSERVERMAIL\siwapornMal/ObfJS-A www.baanrai-ozone.com/images/home/h1_19.gifwww.baanrai-ozone.com12807529 
    Date/timeCodeDescription 
    2/22/2011 1:36:28 PMa01e0004Rootkit scan has been cancelled due to a corrupt disk.  
    2/17/2011 12:49:54 PMa01e0004Rootkit scan has been cancelled due to a corrupt disk.  
    2/16/2011 1:17:53 PMa01e0004Rootkit scan has been cancelled due to a corrupt disk.  
    2/15/2011 1:27:25 PMa01e0004Rootkit scan has been cancelled due to a corrupt disk.  
    Date/timeCodeDescription 
    2/23/2011 1:09:09 PM00000000Updated successfully  
    2/23/2011 11:42:04 AM00000071ERROR: Could not find a source for updated packages 
    :9459
  • 0

    Hi,  

    If you're getting a blue screen something pretty serious must be mappening, I would suggest doing the following;

    1.Ensure that you have your machine configured to create a full memory dump (ideally).

    To do so, under computer properties, go into "Advanced system settings" and from there into the "Startup and recovery" section settings.   You should be able to set it at least to a Kernel dump which will be written by default to %SystemRoot%\MEMORY.DMP.

    2. When the BSOD next happens, it will write the state to the above file.

    On next bootup move %SystemRoot%\MEMORY.DMP to your desktop.  I figure it's best to move it as quick as possible incase the machine BSODs again.  If you are unable to find the file, we can settle for the next best thing which is a minidump,  to get that, it should be in \windows\minidump\ please copy the latest written to your desktop.

    Either way at this point we should have a memory dump to work with which is either:

    Full Dump

    Kernel Dump

    Mini dump

    In terms of size, looking at the above list they get smaller but they also contain less information as to the state of the machine at the point it crashes but we'll have to work with what we can obtain.

    3. download WinDBG

    http://msdn.microsoft.com/en-us/windows/hardware/gg463009.aspx

    Once installed you should have a link in the startmenu to Windbg, start it up.

    4. "File" - "Open Crash Dump"

    5. Once complete.  It will give you a link to hit that looks like:

    !analyze -v

    If noy you can just type it in to the command line at the bottom.  Once WinDbg has finished anlayzing the crash dump it will tell you the most likely component that caused the crash.  That's not to say it's going to be 100% accurate but the above procedure is standard procedure, first steps when getting a BSOD.

    http://support.microsoft.com/kb/315263

    Pretty much covers the above steps.

    Also, regading the root kit corrupt disk message, I've had some success disabling the Windows background task that performs the defrag.  As an example, if you look through the history of this error, see if it aligns with the times for the degrag taks.  On Windows 7 you can go to:

    Control Panel - Administrative Tools - Task Scheduler - Expand: "Task scheduler library" - Microsoft - Windows - Defrag

    Under the properties of the "Scheduled Defrag" task you can see the history.  I've found that Windows 7 scheduled tasks seem to run when they want (even considering the option "Run as soon as possible after a scheduled task is missed") on my machine so it's worth checking when they ran rather than when they were meant to run.  I last had the error on the 17th of Feb which was the last time this task ran.  Also there are many utility applications that come pre-bundled with laptops that try and perform such maintenance tasks, so it would be worth checking those as well.

    Hope this info gives other something to try, I'd be interested to hear any feedback.

    Regards,

    Jak

    :9461
  • 0

    Hi Jak,

    Thank you for your suggestion. It sounds to have a lot of steps and some knowledge to recover that affected. Anyway, this case is my customer's issue which their outsourcer who take care of maintenance pc job solved it by attaching the affected notebook's harddisk to his computer which has Kaspersky AV and running virus scan. The result is there is 2 malwares, trojan and rootkit.

    rootkit.win32.small.bjj and trojan-downloader.win32.agent.er (kaspersky).

    What the point is Sophos on the affected notebook whether can be detected both malwares or not?. The time that shown in enterprise console log of the affected notebook indicating that "rootkit scan has been cancelled due to corrupted disk" before bluescreen will be happened or Windows couldn't be started.

    What is the meaning of "rootkit scan has been cancelled due to corrupted disk"?. How to solve this error because I have seen a lot of this error in Enterprise Console?. let"s say 10 endpoints have this error.

    :9489