Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 6062 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Re: Reboot issue: SAVservice is causing 15-60 minute delay until CTRL+ALT+DEL becomes available

ColuchMD

My company just got hit with the same issues mentioned in this topic. Has anyone come across a fix or solid work around other than disabling services in Safe Mode? I have already contacted Sophos but their response time is poor and so far no troubleshooting has been attempted by them. Any help would be appreciated.

:53219


This thread was automatically locked due to age.
  • 0

    Hi ColuchMD,

    You may have noticed I’’’’ve moved your post and started a new thread with it.  I did this because though the original thread does look the same, I don’’’’t think it is related to your problem...

    I’’’’ve read through the other case and the resolution was that some Data Control rules were set up in a way that lumped them altogether and causes the SAVService to (in a word) 'choke'.  You’’’’ve supplied a SDU output on one of your cases (ending …8897) for computer xxxY9281 (running Windows 7 Ultimate).  This shows that Data Control is not active.

    Summarizing the issue: First the computer hangs for a long time (to quote from the case: “delay lasts anywhere from several minutes to several days”).  Once logged into the computer the event log shows:

    Source: Service Control Manager
Event ID: 7022
The Sophos Anti-Virus service hung on starting.

    This is a very general error and because SAVService is as busy as the 30th street station (because all sub-components like reporting, updating, Web Protection, Live Protection, Web Control, Application Control, etc. interact with it in some way) sometimes it’’’’s not going to be immediately obvious what sub-component of the protection is causing a problem.

    The SDU supplied from computer xxxY9281 shows you have certain protection features enabled - but not Data Control, hence not the same problem as on the other thread, but the same symptoms.  The engineer that is looking after you (on your case ending …8897) has picked Web Protection and Web Control as a likely culprit.  Therefore you’’’’ve been asked you enable verbose logging for that feature and email it in.

    Side note:  You have two open cases with Support.  One ending ...8916 - opened for access to our case management portal 'SophServ'; and one ending ...8897 - the main support case for this reboot issue.  You will have received several emails from support but check the subject line for the different case references as they are separate.  You may want to close …8916 if you weren’’’’t aware that it was open.

    So, moving forward… As per the last email (with a subject line containing ...8916) that your should have received, you should enable verbose logging, reboot (and make sure the issue occurs), and then email back a fresh SDU output.

    However I’’’’m interested to know:  When did this start?  I don't want to de-rail the path of troubleshooting but: Rather than guess at the offending component can you say “we enabled feature X in the policy last week and the problem started X days later”?  If you have a team ask around if someone switched something on.  You do use Enterprise Console right?  Is Auditing enabled to track changes?

    If you want my two cents of troubleshooting:  Take a computer with the problem (not computer xxxY9281 - leave that for Support to troubleshoot with).  Create a new group in the Enterprise Console.  Attached to that group only default policies (stripped right down to the basics - no customizations).  Apply all those policies to the computer you picked (hopefully one near by).  Test if the boot time is back to normal.  If not disable functions in a policy and keep testing.  If the default policies restore the boot time to normal: then add the Web Control / Web Protection settings back in and test again.

    If you can either isolate a recent change to the Enterprise Console policies, or quickly determine what policy change has to be made to get the boot times back to normal you could have your end users back in full swing quickly - and leave one computer for Support to troubleshoot on and narrow down the exact cause.

    I hope some of that makes sense. :smileyhappy:

    :53253
  • 0

    Additionally:  When considering recent changes to the computers - it may not be a policy change, start your thinking there but also consider:

    • Changes to Sophos Ant-Virus version (which includes change to Sophos Update Manager packages and subscriptions).
    • Operating system updates (maybe one, or a bunch of, hot fix got deployed to the computers in question).
    • Third-party applications (have any new applications been installed recently or had an update).

    ...you may have to ask around your team if someone else may have put a change in place without your knowledge.

    Important: I was just about to close down the case notes and logs you sent in on computer xxxY9281 and noticed something.  This computer has both Sophos Anti-Virus installed and Malwarebytes' Anti-Malware.  This is not a good idea and I recommend you uninstall one of them and see if the issue is resolved.  Also check if other (all) the computers affected have both programs installed to rule out whether computer xxxY9281 is a one off or not.

    :53259