Endpoint Protection

We have around 50+ workstations with application and device control having BSOD. We removed Application and device control and the problem went away. We have sinces reinstalled with application and device control and the problem is back. We have a directive that we must use this feature so, I could use some help. We are running version 11.0.6100.645. Here is the dumpfile view.

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 8053a8f3, The address that the exception occurred at
Arg3: ae64d4c4, Trap Frame
Arg4: 00000000

Debugging Details:
------------------

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
nt!memmove+33
8053a8f3 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

TRAP_FRAME:  ae64d4c4 -- (.trap 0xffffffffae64d4c4)
ErrCode = 00000000
eax=007200b5 ebx=ae64d59c ecx=0000001c edx=00000003 esi=00720042 edi=ae64d59c
eip=8053a8f3 esp=ae64d538 ebp=ae64d540 iopl=0         nv up ei pl nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206
nt!memmove+0x33:
8053a8f3 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
Resetting default scope

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x8E

PROCESS_NAME:  cscript.exe

LAST_CONTROL_TRANSFER:  from 8052bb37 to 8053a8f3

STACK_TEXT: 
ae64d540 8052bb37 ae64d59c 00720042 00000073 nt!memmove+0x33
ae64d560 b29da1a0 ae64d590 00000073 88557340 nt!RtlAppendUnicodeStringToString+0x45
WARNING: Stack unwind information not available. Following frames may be wrong.
ae64dc7c b29d926d c0000001 e1a41840 b2b17799 SysPlant+0x61a0
ae64dd3c 8054164c 012bf60c 001f03ff 00000000 SysPlant+0x526d
ae64dd3c 00000008 012bf60c 001f03ff 00000000 nt!KiFastCallEntry+0xfc
ae64ddac ffffffff 0000003b 0013da30 00000104 0x8
ae64ddb0 00000000 0013da30 00000104 00000000 0xffffffff

STACK_COMMAND:  kb

FOLLOWUP_IP:
SysPlant+61a0
b29da1a0 ??              ???

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  SysPlant+61a0

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: SysPlant

IMAGE_NAME:  SysPlant.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4c5b6605

FAILURE_BUCKET_ID:  0x8E_SysPlant+61a0

BUCKET_ID:  0x8E_SysPlant+61a0

Followup: MachineOwner
--------- 

It is best if we get the enginners to look at this. I suggest you open a case with support ASAP. Be prepared to provide the full dump for analysis.

Online - https://mysupport.symantec.com/

Phone - http://www.symantec.com/business/support/contact_techsupp_static.jsp

Thomas is correct ..If you are having BSOD isses with Latest version then there might be conflict with some app..So first thing to do would be to open a support case..

@ Patrick,

This problem was supposed to be fixed in RU6.  Cycletech has the right idea. Open a support ticket.

After several failed attempts to open a ticket on the web I called in and have been waiting for a call back now for a couple of hours... Thanks

This was an issue in 11.0.5 but fixed in RU6, as I had the same issues and upgrading fixed it.

Is this happening when using a certain app or is it random?

Are you running ADC on only these 50 machines or is it on more and only these machines are experiencing issues?

Seems to be random. Looking at event logs indicates it may be happening after LiveUpdate runs. ADC is running on aprox. 75 other machines that don't seem to have the problem.

Can you tell use what ADC rules you currently have enabled and if they're in log or production mode?

Seems fairly straight forward, SysPlant.sys is being invoked via some vbscript to query a device and the failure results in the bugcheck.

If this is easily reproducable I would track down the script to see what code is being executed, should be able to point you in the right direction.

Just my rnadom take after briefly looking at the bugcheck, you have a device that Symantec's current patch level can not properly interface with. If you can find the script that is being executed, post it here, should be able to narrow it down.

If the os is 64bit system You cannot use Application and Device module.

Please uninstall it.

If You cannot do it, run machine in safe mode and change Start value from

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysPlant.

to 4.

Thanks... All are running 32 bit XP Pro SP3

Does not seem to mater if there are any rules enabled. Just having the module in the mix causes the problem.

Hi Patrick please keep us posted on this. I am about the start a deployment of RU6MP1 and also use Application and Device Rule in place which we must have.

I have been through this exact problem with MR4 and earlier version where sysplant.sys would BSOD workstations randomly. The fix was to go to RU5 so we where only hit the workstations affected with RU5. This was because RU6MP1 was about to be released and we thought why not just upgrade all workstations to RU6MP1.  I don't want to go backwards to random BSOD's!!

Uploaded the full system dump to symantec last night. Waiting to hear back from support.

Hi Patrich,

There are some BSOD fixes in the release of RU6MP2 

RU6 MP2 has been released, you may try installing on one of the machine and monitor before installing on other machines.

Thanks.... will try that and let you know.