Sophos Antivirus Driver Caused BSODs After Windows KB5013943 Update
Sophos has released a fix for a known issue triggering blue screens of death (aka BSODs) on Windows 11 systems running Sophos Home antivirus software after installing the KB5013943 update.
“Customers on Windows 11 running Sophos Home may encounter a BSOD/Stop error after installing Windows Update KB5013943 and restarting their machines,” the cybersecurity vendor explains.
‘The symptoms involve being unable to get to the desktop after restarting the computer/shutting down powering it back on post-installation of Windows Update KB5013943.”
Sophos says the issue is caused by the hmpalert.sys (aka HitManPro.Alert Support) Windows driver used by Sophos Home.
The fix for this known bug will apply automatically to all impacted systems, with users prompted to restart their devices as soon as the patch is applied.
Also Read: The 5 Benefits Of Outsourcing Data Protection Officer Service
Customers impacted by this issue can check if the fix has been applied by going to C:\Windows\System32\drivers, and checking hmpalert.sys’ details, confirming that their product version is 184.108.40.206.
The company also provides workarounds for those who haven’t yet received this automatic fix.
They require renaming the hmpalert.sys driver or (as a last resort option, if the system is unusable) uninstalling the problematic Windows update.
However, you should be aware that removing the KB5013943 will also remove security updates that rolled out during the May 2022 Patch Tuesday, including three zero-days (two of them also actively exploited).
To remove the KB5013943 Windows 11 KB5013943 update (although not recommended), you should also let the systems crash three times with a blue screen, then click “See Advanced repair options” and select “Troubleshoot > Advanced options >Uninstall Updates >Uninstall latest quality update.”
To rename the hmpalert.sys driver, Sophos advises letting the system BSOD and auto restart. After it happens three times in a row, you will get an “Advanced repair options” where you can open a command prompt by going to Select Troubleshoot > Advanced options > Command Prompt.
Once a command line is available, you need to go through the following procedure (after going through all the steps, the system should boot normally):
1. Type cd c:\windows\system32\drivers 2. Hit Enter 3. Type ren hmpalert.sys hmpalert.old 4. Hit enter 5. Type Exit 6. Select Continue
After each workaround, Sophos recommends verifying if the fix has been applied as detailed above.
Also Read: How To Prevent WhatsApp Hack: 7 Best Practices
KB5013943 is a mandatory cumulative update released during this month’s Patch Tuesday with security updates for vulnerabilities discovered in the previous months.
This update is also causing 0xc0000135 application errors when attempting to launch .NET applications, with Windows 11 displaying an error stating that “The application was unable to start correctly (0xc0000135). Click OK to close the application.”
Affected apps vary per user, but based on user reports, applications having problems include ProtonVPN, PowerShell, Event Viewer, Sound Blaster Command, KeePass, Visual Studio, Discord, ShareX, and others.