[German]A brief of information for users of Sophos enterprise security solutions. Sophos has just begun to deliver an update to correct the Windows patchday problems caused by its products. Here is some information on the subject.
On 9 April 2019, Microsoft released several security updates for different versions of Windows, which caused installation problems when certain third-party antivirus software was installed. This ranged from no longer booting and freezing to extremely slow systems. I had reported about it in several blog posts, among others in the article Windows Windows patchday issues–one week later (April 17, 2019).
Regarding Sophos, the vendor and Microsoft were able to identify a problem on Sophos Endpoint Protection devices that either have Sophos Central or Sophos Enterprise Console (SEC) installed and/or managed by these protection solutions. The system may stop responding to reboots after this update has been installed.
Microsoft has therefore temporarily excluded all Windows systems from receiving the affected April 2019 security updates on which Sophos Endpoint is installed . According to Microsoft, this will apply until a solution is available. More details can be found in the text below.
Micro updates and workarounds
Sophos then published workaround instructions for Sophos Endpoint and Sophos Enterprise Console customers on how to resolve the issue with affected systems. At the same time, micro-updates were released as a quick fix to the issue. The following happened under the hood: The micro-patches added scan rule exceptions so that the Sophos product directories under:
have been excluded from scans. See this Sophos support article for details. On Thursday, 25 April 2019, I chatted with an administrator using Sophos solutions in corporate environments. He complained that ‘no updates’ were still available 2 weeks later. When I asked him that there were updates from Sophos, he wrote:
No, I’m afraid they haven’t. Only exceptions set that certain folders are not monitored. I was able to check this in the Enterprise Console. Also wait for the update from Sophos.
This is exactly the workaround that Sophos suggests in its support article. Sophos has kept silent on the root causes of the issue. But in the blog post Windows issues with April Updates and AV-Programs–root cause known, I had revealed a piece of information cited by Mc Afee that names the cause of the problem. In my opinion, the description also applies to the Sophos protection solutions.
Seems to be a bigger issue
I’ve wondered recently about the absence of the der Windows preview updates for a long time (see Still no April 2019 Preview Updates for Windows). But now those updates arrived, after a long delay. Since the early morning of April 26, 2019 (CET), Microsoft has provided preview updates for the various Windows versions.
But within the Known Issues sections of the KB articles I found the hint from Microsoft that the preview updates also had problems with antivirus software from Sophos, Avast, Avira etc. For Sophos, it was still explicitly stated that Microsoft was investigating issues with the vendor and blocking the distribution of updates to machines with the appropriate products.
Sophos becomes more concrete and provides an update
But the whole thing seems to be quite dynamic. On Friday I received a notation from a news editorial team, that Sophos ‘provides an updates’. Checking again the Sophos Support article 133945, I found it has been updated on April 26, 2019. Now Sophos says:
Microsoft has released updates on April 9, 2019 that are impacting some security AV vendors, causing some customers using Windows 7, Windows 8.1, Windows 2008, Windows 2008 R2, Windows 2012 and Windows 2012 R2 to occasionally experience system fails or hangs during boot up after application of the update.
Sophos has been working non-stop to resolve the issue. We quickly coordinated a temporary block that prevents the Microsoft update from being visible for download if the Sophos endpoint is installed. This has been successful in preventing system failures, and allowed us to investigate a permanent resolution. The block will remain in place until the resolution is fully tested and rolled out to customers.
The temporary solution includes an exclusion that works for all of our customers. These exclusions have been automatically added in Sophos Central and Sophos Enterprise Console (versions 5.5.x) and can also be manually added to SEC 5.4.1, UTM Managed Endpoints and Standalone Endpoints/Servers. The exclusions prevent system issues even if the Microsoft update is installed.
We have identified a permanent fix and are now automatically rolling out the fix to customers starting 25th April 2019. This will take place over a two to three week period. To check if you have received the fix see the ‘How to confirm if you have received the fix’ section linked under each product.
Administrators should be careful!
Administrators in enterprise environments who use Sophos security solutions need to be careful. As long as there is no update installed for the Sophos antivirus solution, Windows updates may cause trouble. Sophos has described how to check for the update in support article 133945. It also lists the different versions which already contain the fix.
For administrators, it is also important to note that Microsoft continues to block the distribution of (preview and security) updates to affected machines (via Windows Update). However, Microsoft plans to end this temporary blockade as of May 6, 2019. That’s just 1 and a half weeks, but Sophos says they need 2 to 3 weeks to rollout the patches. This could possible lead to another update desaster, if Microsoft lifts the update blocker.
Microsoft Office Updates (Patchday April 2, 2019)
Microsoft Security Update Summary (April 9, 2019)
Patchday: Updates for Windows 7/8.1/Server (April 9, 2019)
Patchday Windows 10-Updates (April 9, 2019)
Patchday Microsoft Office Updates (April 9, 2019)
Windows patchday issues–one week later (April 17, 2019)
Windows 10: Optional Updates (April 25, 2019)