Endpoint Protection

 View Only

  • 1.  Blue screen on print server with WpsHelper.sys

    Posted Oct 24, 2011 02:11 PM

    The print server (W2k3 SP2 x86) is blue screening every week or so and the memory dump point to WpsHelper.sys.  I have seen that this used to be an issue in the older versions of SEP but we are on SEP11 RU6A.

    Odd that we have SEP on other W2k3 servers but the blue screen happens only on the print server.

    Any ideas? 

    =======================================

    kd> lmvm WpsHelper

    start    end        module name

    b7664000 b768ba80   WpsHelper   (export symbols)       WpsHelper.sys

        Loaded symbol image file: WpsHelper.sys

        Image path: \??\C:\WINDOWS\system32\drivers\WpsHelper.sys

        Image name: WpsHelper.sys

        Timestamp:        Thu Sep 02 21:14:42 2010 (4C804C02)

        CheckSum:         00035AB8

        ImageSize:        00027A80

        File version:     12.3.0.4

        Product version:  12.3.0.4

        File flags:       0 (Mask 0)

        File OS:          40004 NT Win32

        File type:        1.0 App

        File date:        00000000.00000000

        Translations:     0409.04e4

        CompanyName:      Symantec Corporation

        ProductName:      Symantec Intrusion Detection

        InternalName:     WpsHelper

        OriginalFilename: WpsHelper.sys

        ProductVersion:   12.3.0000.4

        FileVersion:      12.3.0000.4

        FileDescription:  Symantec Intrusion Detection - WpsHelper

        LegalCopyright:   Copyright © 2009 Symantec Corporation. All rights reserved. Use of this product is subject to license terms.



  • 2.  RE: Blue screen on print server with WpsHelper.sys

    Posted Oct 24, 2011 02:44 PM

    Either remove Network Threat Protection.

    Or change all current IPS Signatures to Log only mode.There were 1 or 2 IPS sigs which blocked Print Server Traffic,

    Can you check in SEPM -Monitor -logs

    Network Threat Protection -Attack

    Advanced Setting--put print server's IP

    select 1 week 

    and check what was detected on this machines within 1 week.



  • 3.  RE: Blue screen on print server with WpsHelper.sys

    Posted Oct 24, 2011 03:10 PM

    I would first try updating the client to RU7 and test to see if the BSOD's continue. If they continue after updating then you are going to need to open a support case and provide a full memory dump to be able to conclusively determine what is causing the BSOD. Below is documentation on how to configure a full dump.

    http://www.symantec.com/docs/TECH104660



  • 4.  RE: Blue screen on print server with WpsHelper.sys

    Posted Oct 24, 2011 03:48 PM

    Sorry, upgrading is not an option right now as we are a govt facility and have to go through too much to upgrade.  But I will give the information to network operations so that they can configure the full dump on this system if we need to send to Symantec.



  • 5.  RE: Blue screen on print server with WpsHelper.sys

    Posted Oct 24, 2011 03:52 PM

    Thanks and I looked at the logs and most of the attack types are Intrusion Prevention and Active Response Disengaged.  The IP is my vulnerability scanner.  Though the dates and times of the blue screen do not conincide with the scan times.    For example, there as a blue screen this morning but no scan was running.

    So I have asked network operations to give me the dates and times of when the print server blue screened in the past month.