Endpoint Protection

We have a Windows 2008 SP2 (x86) Server with Microsoft Deployment Toolkit installed (MDT 2012).

The server has SEP 12.1.2 installed as its AV protection. When we run the "Update Deployment Share" from within the MDT console, the server bluescreens. This only happens when the "Completely regenerate the boot images" option is selected.

It bluescreens with the following error:

Stop 0x00000044 Multiple_IRP_Complete_Requests

Anaylsing the minidump reveals the following:

Probably caused by : SRTSP.SYS ( SRTSP+6ae9f ) Which is related to the SEP software, it is the Symantec Real Time Storage Protection or something to that effect.

If i remove AV from the server in question, the boot file updates happily and all is well again. No bluescreen.

What is this, why is it happening and how do we fix it without having to leave the AV off the server?

Ive attached the output after analsing the minidump if anyone wants to view it. But what I am after is a reason why this is happening and how it can be resolved?
 

Attachment(s)

Minidump.txt   19 KB 1 version

You will need to open a case with Symantec and provide the dump for them to review. They will need to analyse all of this.

12.1.2 is latest version so this may be a unknown bug or compatibility issue.

Do you only have the AV component installed?

suggest to open a support ticket and pass on the dump to the tech support team.

You should open a case with support and provide a full memory dump

Yes it is just the AV component installed.

I would definitely recommend opening a case so they can look at the dump.

What happens if you exclude the MDT directories?

Im not actually convinced it is scanning the directories to cause the BSOD. I think its a driver conflict somewhere that is causing it, so excluding the directories I dont think will make a difference

I would recommend opening a case with support. You will be asked for a full memory dump so to speed up the troubleshooting process I would configure the server for a full memory dump now then repo the issue . Once you have this dump the assigned TSE can provide you upload instructions.

Case has been opened

Keep us updated.

Will do

Apparently the logs have been analysed, and then passed to an advanced tech, so no idea how long this will be.

Doesnt help now that the case is all online, so have to keep checking it as when they add a note, it doesnt send a message to let me know

Well its now been escaleted from the "Advance" team to whoever is above them!

Ive just tried to catalog a new image in MDT, and its BSOD again. Further still the only way to fix it seemed to be uninstall SEP, Unistall WAIK, then reinstall WAIK and leave SEP off. It all works fine then. Reinistalling SEP causes the BSOD again

They have now asked for a copy of th VM. Its a 100GB VM that they want me to upload so they can reproduce the issue?

Yet if you build one from scratch, the issue is easily reproducable, so why cant they do that? Uploading this will take a ridiculous amount of time

We had to send a desktop because they couldn't reproduce an issue, yet we could on any machine we have here.

Did you get it sorted in the end? Was your issue the same? I'm not holding much hope they will solve it.

I have had to explain to them, from memory, how to build the server and recreate the issue, what software to install and configure etc. Honestly, this is ridiculous!

I can recreate it from scratch by building a new server etc. If i leave off SEP, all is well, as soon as it is put back on, it causes the BSOD again.

The issue is clearly with SEP, no matter what they are going to claim.

My issue is separate from yours but no, still waiting on a resolution.

Dare I ask how long youve been waiting?

The initial issue was found roughly 2 months ago. We have a band-aid workaround but it is not acceptable as it would remove a layer of security on our workstations.

Finally, they said they could not reproduce the issue after we told them how to do it. They requested we send a machine so we built one, reproduced the issue, and sent it off to them. This was two weeks ago.

Not that hopeful of a resolution then. Especially if they are saying they cant reproduce the issue we are having, which is easily reproducable.

We need one otherwise we go in a different direction. So regardless, I expect something even if it is "We don't know"

This is the reply i have received:

Greetings of the day!

I hope you are doing well. Our Development Team has reviewed the Memory Dump File and   informed that this issue is due to File Access Manager (famv4.sys) driver denying our request to get an oplock on pre-fsctl path and causing a filter manager to crash.

We have sent the information to Microsoft filter dev and they are looking at it.

In the meantime, the only recommendation for a workaround for the issue: 

1. Remove famv4.sys

2. Open a ticket with File Access Manager and ask why do they need to deny oplock requests?

3. Also could you please involve VisionWorks to see what is causing the issue, until we get an update from Microsoft.

Please let me know if you have any concerns related to the above process.

So let me start with the minor concerns I have...

1. This file is not on the system, not that we can see anyway and we have hunted everywhere for it.

2 & 3. This is utter bollocks, there is no VisionWorks software installed on this server, we dont and never have used it, not even a trial and certainly not on this system. If they are sure its this phantom driver that is the issue, then wh yare they involving Microsoft? Thats like me involving nPower as to why my SkyTV bill is so high...

I have asked them about their comments, they just skirt round the issue and replied with the following:

This issue is due to File Access Manager (famv4.sys) driver denying our (SEP)request to get an oplock on pre-fsctl path and causing a filter manager to crash. Engineering team has involved Microsoft to take a look into it as well.

We are not saying that Visionworks is causing the issue. The request to involve Visionworks is that they can take a look into this issue and provide a workaround as the you might not like to uninstall the application.

They really havent a clue, this is a complete joke.

Still no reply, this morning we had a users XP machine bluescreen with the same driver causing the issue.

I give in, i really do, Symantec have no idea how to fix it, nor any need to reply, I have been waiting nearly 3 weeks for a reply to my last message and still waiting. Its obviously better for them to lie and hope we accept it as being someone elses problem.

This "support" is pathetic, it really is. so if anyone has any ideas, please pass them on...