Working Around the Sophos BSoD
A recent update in Sophos has created an issue where downstream filter drivers can cause Sophos to crash with a BSOD (Blue Screen of Death).
Sophos have confirmed this issue and have provided us with a workaround from their Sophos Central portal (See "The Sophos Solution" listed at the bottom)
The ThreatLocker Solution:
ThreatLocker has developed a fix for the Sophos issue in Agent Version 6.2 -- by changing the position of the ThreatLocker filter driver to load the Sophos filter driver.
Please update your computers to ThreatLocker Version 6.2 to address this issue.
Note: Please see the important note about restart services after updating versions.
Updating ThreatLocker Versions:
In order to upgrade ThreatLocker for all devices within a group, please visit this article.
Alternatively, you can upgrade single devices from the "Computers" page:
- Manage the organization the endpoint is located in
- Navigate to the "Computers" page
- Search for the endpoint
- Change the dropdown for "Client Version" as shown below
Important: You MUST restart the service twice from the portal after updating. The driver change does not inherit the change upon restarting the device -- this can be accomplished from the "Computers" page. You can select as many devices as you need before restarting.
The Sophos Solution:
If you log in to Sophos Central and navigate to Endpoint Protection > Policies > Threat Protection:
- Disable the 'Enable Threat case Creation'
- Disable 'Allow computers to send data on suspicious files, network events, and admin tool activity to Sophos Central" policies in the screenshot above.
This should stop the BSOD.