Video Screencast Help

BSOD SEP 11.0.5 + Windows 7 x64 RTM Ultimate

Created: 19 Nov 2009 • Updated: 21 May 2010 | 3 comments

My laptop just BSOD at teefer2.sys.  Very disconcerting.  Here is the !analyze -v

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffffa800ab53a58, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff88003e3c55c, If non-zero, the instruction address which referenced the bad memory
    address.
Arg4: 0000000000000000, (reserved)

Debugging Details:
------------------

Unable to open image file: C:\Program Files\Debugging Tools for Windows (x64)\sym\ntkrnlmp.exe\4A5BC6005dd000\ntkrnlmp.exe
The system cannot find the file specified.

READ_ADDRESS:  fffffa800ab53a58 Nonpaged pool

FAULTING_IP:
teefer2+555c
fffff880`03e3c55c 488b9b88010000  mov     rbx,qword ptr [rbx+188h]

MM_INTERNAL_CODE:  0

IMAGE_NAME:  teefer2.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4a0b1ec0

MODULE_NAME: teefer2

FAULTING_MODULE: fffff88003e37000 teefer2

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  System

CURRENT_IRQL:  1

TRAP_FRAME:  fffff88002e73ae0 -- (.trap 0xfffff88002e73ae0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000015
rdx=fffff88003e46f4c rsi=0000000000000000 rdi=0000000000000000
rip=fffff88003e3c55c rsp=fffff88002e73c70 rbp=0000000000000080
 r8=000000000000005c  r9=fffff88003e5849d r10=00000000000003cb
r11=0000000000000042 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na po nc
teefer2+0x555c:
fffff880`03e3c55c 488b9b88010000  mov     rbx,qword ptr [rbx+188h] ds:6a04:0188=????????????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff800031061e4 to fffff80003086f00

STACK_TEXT: 
fffff880`02e73978 fffff800`031061e4 : 00000000`00000050 fffffa80`0ab53a58 00000000`00000000 fffff880`02e73ae0 : nt!KeBugCheckEx
fffff880`02e73980 fffff800`03084fee : 00000000`00000000 fffffa80`0ab538d0 fffffa80`0abbe000 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x42907
fffff880`02e73ae0 fffff880`03e3c55c : fffff880`03e46ed3 fffffa80`0ab538d0 00000000`00000080 fffff880`03e594e0 : nt!KiPageFault+0x16e
fffff880`02e73c70 fffff880`03e3c680 : fffff880`00000000 fffffa80`05903980 00000000`00000001 00000000`0001118e : teefer2+0x555c
fffff880`02e73ca0 fffff880`03e3c78c : 00000000`0001118e fffffa80`05572000 ffffffff`ff85ee00 00000000`00000080 : teefer2+0x5680
fffff880`02e73cd0 fffff800`0332a166 : 00000000`00000001 fffffa80`056154d0 00000000`00000080 fffffa80`056154d0 : teefer2+0x578c
fffff880`02e73d00 fffff800`03065486 : fffff880`009e9180 fffffa80`056154d0 fffffa80`054aca60 fffff880`0121ea90 : nt!PspSystemThreadStartup+0x5a
fffff880`02e73d40 00000000`00000000 : fffff880`02e74000 fffff880`02e6e000 fffff880`02e73650 00000000`00000000 : nt!KxStartSystemThread+0x16

STACK_COMMAND:  kb

FOLLOWUP_IP:
teefer2+555c
fffff880`03e3c55c 488b9b88010000  mov     rbx,qword ptr [rbx+188h]

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  teefer2+555c

FOLLOWUP_NAME:  MachineOwner

FAILURE_BUCKET_ID:  X64_0x50_teefer2+555c

BUCKET_ID:  X64_0x50_teefer2+555c

Followup: MachineOwner
---------

if anyone at Symantec wants the dump I'll be happy to upload it.

If anyone has any suggestions on how to avoid this let me know.
 

Comments 3 CommentsJump to latest comment

Rafeeq's picture

the problem seems to be with the firewall component driver called teefer2 driver
open add /remove programs.
click on symantec endpoint protection
click on change
click on modify
uncheck network threat protection , (select the option this features will not be installed)
click on next
complete the install
check if the issue still persists.

Ropati's picture

Rafeeq

Thanks for the reply. 

I knew it was with the network threat protection module.  I had already gone round and round with teefer2 not working with SEP 11.4 and finished with uninstalling SEP-NTP on 11.4.  I was hoping 11.5 was fixed.  Guess not.    I've uninstalled it again. 

Maybe someone at Symantec could update this when they have a working NTP module with Window 7 x64. 

I'm also wondering if the same problem exists with SEP 11.5 and W2K8R2 ( which should have the same memory management and TCP/IP stack as Win7).  Should I uninstall NTP from my W2K8R2 dev servers just to be safe?

Rafeeq's picture

Please uninstall NTP till we narrow down to the problem or the root cause of the issue;.
Awaitng MU5 MP1 soon :)