Endpoint Protection

Hi all, since friday I'm experiencing some BSOD issues with the following dump.

Any idea of the possible reason?

 

Thanks"!

What version of SEP are you using? As I believe this was fixed in SEP 12.1 RU5

The problem appeared with the upgrade to 12.1.5337.5000 version.

Have you tried running a repair on the client itself on the machine? 

Also what elements of SEP do you have installed on the SEP client? As the IPS element can cause BSOD. 

This a server or a user machine? 

No IPS installed, these are the features installed.

 

I haven't tried repair because the issue appeared in more than 1 client and just after the upgrade.

Even though you haven't got any NTP components installed untick the NTP I've had issues with the component on servers causing BSOD once it was completly removed the issue went too. 

You may have seen this thread whihc was posted just the other day:

https://www-secure.symantec.com/connect/forums/anybody-else-experiencing-windows-7-crashes-today

Not sure if it applies but I'd get a case open so they can investigate.

We are running SEP version 12.1.5337.5000 and since last friday we are also having random BSOD. I analyzed the DMP files with WinDbg and all of them states that it was caused by symefasi.sys.

I did see a new EFA come down the other day. What is your sequence at for the EFA signatures? mine is 150301017

I have the same signatures as you do.

Note to anyone who has been experiencing BSOD since Friday - please open a case with symantec.  Once you have a case open, private message me and I'll swap case numbers.  I'm trying to get Symantec to link all these cases, since they repeated to us again an hour ago that they haven't had others with the same case. 

NOTE TO SYMANTEC:   **YOU** should be correlating these cases, not me.  Just sayin'

Paul

Would also be nice to see something publicly. I have no clue why I haven't been affected by this (or more customers). Seems to be a hardware/EFA issue? Who knows...

Thanks for staying on top of this and updating though as I'm sure you have other things you can be doing ;)

We are experiencing the same exact problem here on Servers especially.  Does anybody know what the fix is for this besides opening a case with Symantec?

I've had about 30 servers including 2 SEPM's now crash with a bluescreen and when looking at the minidump file it shows.

This is only happening with SEP 12.1.5337.5000 as well for us.  We have no problems with 12.1.4013.4013 or 12.1.4112.4156

 

ntoskrnl.exe    ntoskrnl.exe+8691c    fffff800`01614000

symefasi.sys    symefasi.sys+16efc8    fffff880`01448000

 

It is really bizarre.  Most of our machines are unaffected.  But over 400 are impacted. Desktops and Laptops. It doesn't always happen.  Yesterday I had a machine in my cube that I rebooted 20 times in a row and it blue screened about 5 times. Different memory dumps show different things (I don't know if it is consistent on a single machine - I haven't been the one doing the memory dumps).  It happens when the user logs in.  Logging in while the machine is off the network appears to prevent the problem. 

for us, forcing the IPS defs back to 2/25 does the trick.

1. under policies, create a new Live Update Content policy (Policies > Live Update > Live Update Content tab)
2. set the date on the IPS definitions back to 2/25/2015 r12 (assuming you have that, if not pick another one)
3. create a group to apply this policy to (or do it to an existing group)
4. set the policy by going into the group Policies tab > LiveUpdate Content Policy Settings

obviously, this is a temporary workaround 'till symantec fixes it

 

another workaround - logging into the system while it is off the network seems also to work for us

 

This post is also linked to:

https://www-secure.symantec.com/connect/forums/anybody-else-experiencing-windows-7-crashes-today#comment-10938201

Well, unfortunately my company has signed up a 3 year contract with Symantec for AV protection... I hate Symantec, nothing they do works fine the first time... exclusions still get scanned, server reboots, server crashes... but this is not relevant atm... our Windows 7 computers are also crashing, randomly BSOD multiple times a day. The only solution we have found was to uninstall Symantec 12.1.5 with CleanWype. All issues we are experiencing are the same ones mister paul and wroot have described above. Thanks for creating the post guys. 

I have tried multiple times to communicate with Symantec to open a ticket online and this is what i get:

https://my.symantec.com/static/sitemaintenance.html

"MySymantec Maintenance

We apologize for the inconvenience, but the site is currently unavailable while we are making updates. While the system is down, you can view articles and forum posts in our user community, Symantec Connect. You do not need to log in to browse the forums and read the posts and articles."

Then i try the phone to give them a call, get on hold for a long time and i get disconnected... what a joke this company is. 

All computers that are crashing are showing this error:

IMAGE_NAME:  symefasi.sys

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s...

Well, i will keep trying to contact them... and making sure i don't renew the AV when the time comes. 

http://www.customerservicescoreboard.com/Symantec

Symantec tells us that IPS defs released today, 04-March-2015 rev. 12 (20150301.12), should resolve the issue.  Please test and report back.  We won't know our results 'till tomorrow.

I am going to post this in all the BSOD threads, so apologies for duplication...

Paul

Thanks, i managed to open a ticket with Symantec. The defs you mentioned are not yet available to us. Regards, Felipe. 

Run liveupdate. I just pulled them down.

same here.  Admin > Local Site (or whatever sites you use) > Download LiveUpdate content.  That will force your SEPM to get the latest defs.  Then you can force some test clients to get the update, rather than wait for the heartbeat.

My case 08338719

I have updated virus protection spyware from March 4, 2015 r18, update Preventive Protection February 24, 2015 r15, Network Threat Protection 4 March 2015 r12 BSOD continue

We got the new IPS definitions (4 March 2015 r12) last night and we are also still having BSOD issues on several machines. Will try to rollback the IPS definitions on some systems to see if that helps.

How to roll back definitions? I change the version of SEP at 12.1.4112.4156, it fixes the problem.

Under policies select Live Update and under LiveUpdate Policies the "LiveUpdate Content" tab. Here you can create a new policy and select which revision of the IPS definitions you want to deploy. After this go to your group with machines and under the Policies tab select "LiveUpdate Content Policy Settings" (under settings). From here you can select the policy you just created to deploy it to that group.

Since someone mentioned that the IPS definitions from 25.2 solves the problem I am testing with that revision.

What does it mean " IPS definitions from 25.2 ?"

Under Intrusion Prevention signatures change the revision of "Client Intrusion Detection System signatures 12.1 RU5" to 02/25/2015 r12.

Does this mean an action that customers with this setup will not receive future updates that were released after 02/25/2015 r12. After all, if it is "wrong", then if Symantec does not take into account the errors, the situation with BSOD return.

As far as I understand the feature, your server does receive updates. However, as long as you have a policy deployed to the workstations with a specific revision defined instead of the option to always download the latest ones, those machines will not receive updates until you change your policy.

You are exactly right. Locking the ips defs to 25Feb is a short term workaround not a long term solution. Since the fix Symantec released yesterday seems to work for us, we are slowly migrating from the workaround back to the regular defs.

You are exactly right. Locking the ips defs to 25Feb is a short term workaround not a long term solution. Since the fix Symantec released yesterday seems to work for us, we are slowly migrating from the workaround back to the regular defs.

You are exactly right. Locking the ips defs to 25Feb is a short term workaround not a long term solution. Since the fix Symantec released yesterday seems to work for us, we are slowly migrating from the workaround back to the regular defs.

Got a response from Symantec Support on my case  № 08338719 Operation system down when network application starts. Error code: 0x1000007E :

"This is Anup from Symantec Technical Support,

Yes the issue was with the Liveupdate. and its fixed in the New version of SEP 12.1Ru6.

There is no problem if you use the older version of SEP ie 12.1.4 however I would suggest when the new version of SEP 12.1.6 comes You can Upgrade to SEP 12.1.6"

I can only note that on the test computers with the version of SEP 12.1.5337.5000, with updates on 11.03.2015, BSOD does not appear.

Now this issue fixed on SEPM 12.1.6

Blue screen error after upgrading SEP

Fix ID: 3649959

Symptom: A blue screen occurs with BugCheck 3b on Symantec Endpoint Protection client, which points to a SymEFA component.

Solution: Fixed a performance issue which caused the blue screen.

https://support.symantec.com/en_US/article.TECH230...

Upgrade or migrate to Symantec Endpoint Protection 12.1.6

https://support.symantec.com/en_US/article.TECH230601.html

I am in the same position as you are.. I also try to convience my employer to stop using Symantec products.. The level of kernel hijacking / bugging they do is just horrible... Hope this outdated business model dies soon. Updated software protects you far better from drive by infections than any malware detection kit.

Targeted attacks won´t be blocked by SEP. Would be nice if someone could write some Malware to remove SEP.. CleanWipe.exe is out there!