hello all,

Blue screen of death is coming on the screen . After looking at the dump, this was observed. How can this be resolved ?
6: kd> lmvm Teefer
start             end                 module name
fffff880`036f7000 fffff880`03727000   Teefer     (no symbols)
    Loaded symbol image file: Teefer.sys
    Image path: \SystemRoot\system32\DRIVERS\Teefer.sys
    Image name: Teefer.sys
    Timestamp:        Tue Jul 17 13:58:52 2012 (5005618C)
    CheckSum:         0002329D
    ImageSize:        00030000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4BL

teefer 2 is the firewal component of SEP. 

Are you trying to install 11.x  with Network threat protection?

Install only AV/ AS or Install the latest 12.1.4 and check

You can Install SEP 12.1.4 on client

https://www-secure.symantec.com/connect/forums/bsod-when-boot-windows

If above not help contact to symantec support

Memory Dump is necessary to analyze the root cause of BSOD.

I would strongly suggest to open a support case and provide them memory dump, image if required.

Support can reproduce the issue. They can try to identify root cause & culprit.

Loa a web case or call support.

How to create a new case in MySupport

http://www.symantec.com/docs/TECH58873

How to Create and Validate a SymAccount for using Symantec's MySupport

http://www.symantec.com/docs/HOWTO31127

How to update a support case and upload diagnostic files with MySupport

http://www.symantec.com/docs/TECH71023

OR

Regional Support Telephone Numbers:
United States: https://support.broadcom.com (407-357-7600 from outside the United States)
Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
United Kingdom: +44 (0) 870 606 6000
Additional contact numbers: http://www.symantec.com/business/support/contact_techsupp_static.jsp India: Toll-Free 000 800 4401 456

@rafeeq I am not trying to install. Its already installed but suddenly started to show this behavior.

for the latest upgrade . I have to upgrade the SEPM first to 12.1.4 and then the clients ?

Yes, you first need to upgrade your SEPM , then the clients

SEP 11 used to cause this behaviour, If you give me the exact version of SEP 11 we can check the release notes for the bug fix.

Take a back up of SEPM 11

Upgrade 12.1.4 ( RU4a) this what you will see in fileconnect. its RU4a as the fixed the SEPM vulnerability

then upgrade clients using auto upgrade feature

Upgrading or migrating to Symantec Endpoint Protection 12.1.4 (RU4)/12.1.4a (RU4a)

http://www.symantec.com/business/support/index?page=content&id=TECH211821

Here is the complete information about this. Please have a look at it.

SEPM version is 12.1.2 . The issue is coming on 20 servers running Server 2008 R2 with all the components installed though the firewall is disabled from the SEPM but the component is still installed on the clients . How should I go about it now ?

Regards,

I suggest you can log a call..

Memory Dump is necessary to analyze the root cause of BSOD.

I would strongly suggest to open a support case and provide them memory dump, image if required.

Support can reproduce the issue. They can try to identify root cause & culprit.

Loa a web case or call support.

How to create a new case in MySupport

http://www.symantec.com/docs/TECH58873

How to Create and Validate a SymAccount for using Symantec's MySupport

http://www.symantec.com/docs/HOWTO31127

How to update a support case and upload diagnostic files with MySupport

http://www.symantec.com/docs/TECH71023

OR

Regional Support Telephone Numbers:
United States: https://support.broadcom.com (407-357-7600 from outside the United States)
Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
United Kingdom: +44 (0) 870 606 6000
Additional contact numbers: http://www.symantec.com/business/support/contact_techsupp_static.jsp India: Toll-Free 000 800 4401 456

I would suggest to remove the firewall component from servers all together.

go to add/remove programs

select sep

modify

remove NTP

reboot

There was two teefer blue screen issues fixed in 12.1.3, so upgrade to SEP 12.1.4

BugCheck 50 (PAGE_FAULT_IN_NONPAGED_AREA) references teefer.sys

Fix ID: 2990492

Symptom: The Symantec Endpoint Protection client experiences a blue screen with BugCheck 50 (PAGE_FAULT_IN_NONPAGED_AREA). The blue screen references faulting driver teefer.sys.

Solution: Modified the Teefer driver to prevent this blue screen.

http://www.symantec.com/business/support/index?page=content&id=TECH206828

as of now remove the NTP,whenever you plan to upgrade to 12.1.4 you can put the NTP back

P.S: You should only install NTP on servers after proper testing of firewall rules. 

@Rafeeq what you meant was that first I should remove the NTP component from those 20 server machines individually by going into add-remove program then restart them to see whether this issue is resolved or not. If the issue is still persistent then Upgrade to the SEPM 12.1.4(a).

Secondly the firewall policy is disabled from the SEPM but its component is installed on the client, so would this do any difference ?

Regards,

You can do this with SEPM

How to add or remove features to existing Symantec Endpoint Protection (SEP) client installations

withdrawing policy will not take out the component, when you withdraw the policy the NTP component would still be active but will be in pass through mode , no firewall rules would be processed.

Yes, remove NTP. from 20 servers if not manually you can put them to a group and assign only AV/AS package , make sure to reboot them after you removed the NTP.

Your current sepm can manage 12.1.4 clients, in this case you can just upgrade your clients to 12.1.4.

@rafeeq couple of things I would like you to clear.

1.If I assign them to a group and remove the NTP component from that group, then how much time would it take to remove the NTP component from the group and then do I have to restart the clients to make then changes take effect ?

2. SEPM is running on the version 12.1.2 , how can it support the clients with the version 12.1.4. Do i have to import those 12.1.4 packages into the SEPM and then assign them to the respective group ?

This woulld be my approach

1) download RU4 from fileconnect

2) Import into SEPM

http://www.symantec.com/business/support/index?page=content&id=TECH122824

3 )Create a package without NTP and push out to clients

or

How to add or remove features to existing Symantec Endpoint Protection (SEP) client installations

http://www.symantec.com/business/support/index?page=content&id=TECH90936

it would take same ammount of time like new installation. better to create a package and push out.

reboot after its done 

If I run the disable '' Network Threat Protection'' command on the group then it will disable the NTP. Is it gonna essentially remove the component from the clients ?

it will disable the component..will not remove the teefer2 driver ( pass through mode)

@rafeeq what if i can remove the ntp componet from the individual clients by going into the add-remove programs , restart the client and then see what happens ?

Yes, thats the easiest method...you can try that first

You can upgrade only the client if you wish. There is no need to upgrade the SEPM as 12.1 SEPM will manage version of 12.1. It's always recommended to be on the same version across the board but is not a must.