Paged Pool depletion due to handle leak with Sophos AV

Applies to: Microsoft Windows Server 2003 R2 Standard Edition (32-bit x86)Windows Server 2008 Enterprise


  You may experience the following symptoms after a routine virus definition update to Sophos antivirus software:
  • Srv 2020 events in the Event Log indicating a lack of paged pool
  • Event ID 333 events when paged pool is depleted
  • Servers become unresponsive or hang
  • Unable to log on to servers

The server may hang as frequently as every 24 hours.

You will also see the processes SavService.exe and/or Sav32Cli.exe using a large number of handles (>20,000) which increases over time.

This is due to a handle leak to registry key objects which eventually depletes paged pool (a finite kernel resource) in turn causing system instability. The particular handles leaked are to keys under the "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" key.

Sophos has released an update which resolves this issue. Please see their KB article here: