Working Around the Sophos BSoD

2 min. readlast update: 03.08.2021

A recent update in Sophos has created an issue where downstream filter drivers can cause Sophos to crash with a BSOD (Blue Screen of Death). 

Sophos have confirmed this issue and have provided us with a workaround from their Sophos Central portal (See "The Sophos Solution" listed at the bottom)

The ThreatLocker Solution:

ThreatLocker has developed a fix for the Sophos issue in Agent Version 6.2 -- by changing the position of the ThreatLocker filter driver to load before the Sophos filter driver.

Please update your computers to ThreatLocker Version 6.2 to address this issue.

Note: Please see the important note about restart services after updating versions.

Updating ThreatLocker Versions:

In order to upgrade ThreatLocker for all devices within a group, please visit this article.

Alternatively, you can upgrade single devices from the "Computers" page:

  • Manage the organization the endpoint is located in
  • Navigate to the "Computers" page
  • Search for the endpoint
  • Change the dropdown for "Client Version" as shown below
undefined

Important: You MUST restart the service twice from the portal after updating. The driver change does not inherit the change upon restarting the device -- this can be accomplished from the "Computers" page. You can select as many devices as you need before restarting.


The Sophos Solution:

undefined

If you log in to Sophos Central and navigate to Endpoint Protection > Policies > Threat Protection:

  • Disable the 'Enable Threat case Creation'
  • Disable 'Allow computers to send data on suspicious files, network events, and admin tool activity to Sophos Central" policies in the screenshot above. 

This should stop the BSOD.

Was this article helpful?