Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 0 subscribers
  • Views 9588 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DPM server bluescreens after sophos endpoint installation (bluescreens stop when disabling Sophos services)

ManagedServices

All,

DPM: 2010
Os: Windows Server 2008 R2

After pushing the Antivirus client on the DPM server strange bluescreens have appeared (all faulting with DRIVER IRQ NOT LESS OR EQUAL in sis.sys). When disabling the sophos services on the server the bluescreens disappear.

It seems to happen when Sophos tries to scan the DPM volumes (\\.......). I've followed the guide from Microsoft for the exclusions and also excluded remote locations.

Any ideas?

Best regards!



This thread was automatically locked due to age.
  • 0

    Hello ManagedServices,

    the guide from Microsoft suggests excluding the replicas from On-Access scanning by disabling real-time monitoring of the DPM process DPMRA.exe. Wonder how you did this.

    Anyway, this is not performance degradation or data corruption (as bad as these are) but system instability. I'd suggest that you open a case with Support.

    Christian

  • 0 in reply to QC
    Yeah, we excluded the process from on-access scanning, however we had a feeling that this was not the same as excluding it from real-time monitoring
  • 0
    Hi,

    If you are using Sophos Cloud to manage the server installs, policy permits process exclusions. If you are using on-premise, then at the current time, process exclusions are made in the registry - community.sophos.com/.../4011. I would first suggest ensuring the process is excluded as per best practice. If there is still a problem I would probably run driver verifier (Start->Run, type: verifier) go through the vizard and choose to monitor, both sis.sys and savonnaccess.sys. You can use the default options.

    I would also setup the computer to create a full memory dump. Do this you may need to tweak the size of the page file so it's at least equal to the total memory. A dump file created with driver verifier should produce better results as you capture the culprit rather than sometimes the victim.

    I would suggest for this Support will want ideally a full memory dump uploaded to their FTP server. If this is too difficult to obtain maybe a kernel dump might be sufficient, failing which a mini dump.

    Regards,
    Jak
Unfiltered HTML