Video Screencast Help

Vista and bluescreen

Created: 17 Jan 2008 • Updated: 21 May 2010 | 34 comments
RogerNDI's picture
After rebooting yesterday, all our Vista computers got a bluescreen. Today we are working on this problem.
For a test I just upgraded another computer with Vista and Symantec Corp. ed ver. 10 to SEP 11 MR1, after reboot, this computer also went to bluescreen. Seems to fail at a driver called fltmgr.sys.
 
I might have a solution if others are experiensing the same problem.

Comments 34 CommentsJump to latest comment

UlrikJPS's picture
I have exactly this problem also on my own notebook with Vista. It has bluescreened 3 times now since yesterday. I can't see any pattern yet, when it bluescreens.
Strangely enough, I have not had any reports that other users with Vista, where I upgraded from SAV 10.x to SEP, has experienced bluescreen reboots. Maybe it is some kind of special software that conflicts with SEP - fx. VPN software... 
Which solution have you found?
Marcelo_E_Rey's picture

Hi, I have the same problem... "Blue Screen with FLTMGR.SYS"... any solution to this?

regards.
Marcelo

RogerNDI's picture
I actually have two solutions.
 
1. Remove bios battery and reinsert, funny, but it actually worked on the computers I tried (loading default values or flashing a new bios did not help). Then it seems to be working OK with SEP 11 (for now).
 
2. Start in safemode, disable all symantec services (Control Panel, Administrative tools, Services). Restart normally and uninstall SEP 11. I have not tried to reinstall (went back to ver. 10.2 on those computers).
 
Hope this helpes you.
RogerNDI's picture
I forgot, yes it is "Blue Screen with FLTMGR.SYS"...  for me too.
UlrikJPS's picture
@RogerNDI:
 
Well, the BIOS-trick is a little bit difficult on a notebook ;-), and if it really fixes the problem, it is very weird, because what does the BIOS have to do with the fltmgr.sys driver?? I wonder what made you take the battery out - this issue?
 
I guess downgrading to v10.x is always a possibility, but I want SEP to work, so if this issue persists, I think I'll call Symantec support.
RogerNDI's picture
I agree, but on my HP laptop the bios battery were availebal and since I was short of any solution I tried it with sucsess. The other computer I tried this on was a Xeon computer with scsi disk (not sata as on my laptop) and it worked there to. I got no explanation why.
 
The reason I uninstalled on some, where that they were laptops where I could not locate the bios battery, and this were the only way to get the computers up and running again.
 
Please let me know if you get a solution from Symantec support.
hpoulsen's picture
Hi, I also have the same problem.. "Blue screen with FLTMRG.SYS" on labtops!!
 
I never been so busy before I upgraden to SEP :-(
 
regards
Henrik
SHellmueller's picture
I had this one yesterday, and it was ugly.  For me, it only happened on machines that had MR-1, but were not upgrades from the released version of 11.  In other words, our computers that first had "MR-0", then were updated to MR-1 were all fine. 
 
This blue screen was consistent, and it repeated on each machine a handful of times, but then on the nth restart, the machine would actually start normally.
 
This seemed like it might be a definition issue, as it just started happening yesterday, but we weren't able to prove or disprove that. 
 
 



Message Edited by SHellmueller on 01-17-2008 07:01 AM

sedlerj1's picture
We are having the exact same problem on our Vista machines.  It started yesterday for us also.  The install seems to go fine, but after the initial reboot, BSOD. 
 
We are seeing those that had SAV 10.2 on them, and then upgrade to SEP MR1 having the problem.  Today, I created a new install package with all components selected to install, but only applied an anti-virus/anti-spyware policy.  Still blue-screened. 
 
I also installed that same package noted above on a Vista SP1 machine, that did not have any prior version of SAV/SCS on it, and so far, no blue screen.
 
I am going to try the bios battery solution as noted in the other thread. 
Vmax8's picture
SEP 11.0 is the ultimate nightmare for every system admin and user. Being the boss and also "part time" system admin of a small company with 14 workstations my story of today:
Having a presentation with my notebook in front of 14 people at a customer's office and not able to boot, because of a looping BSOD. Restoring the notebook from a backup when back to office.
After reading this thread after dinner at home, realising, that the problem is caused by SEP. Remotly rebooting my desktop at the office. Can't log on = looping BSOD. Rushing back to the office at 7pm (left at midnight). Booting all workstation. EVERY workstation can't boot and just shows looping BSOD.
After trying many ways I found following solution to fix the prolbem (all workstations are unmanaged installations):
 
Safe boot with networking support.
Log on.
Don't do anything for 15 minutes (probably something is getting pushed to the client)
Download the latest Symantec Intelligent Updater for SEP.
Install it and reboot normally. Sometimes several normal reboots are required until the BSOD disappears.
 
It is very obvious, that this problem was caused by a faulty and poorly tested virus update, which Symantec made available through LiveUpdate.
 
I can't believe what Symantec is doing with us, their cusotmers. After SEP crashed our server two days after installation last November while I was on an overseas trip (downgraded to 10.2 afterwards), now this! In all my 15 years of managing our small network I never came across a product which totally disables every machine without any user interaction.
 
I just hope Symantec publicly admits this problem, explain exactly what happened and how to solve it and assures it will not happen again.
KarbonKopy's picture

I too, am having the exact same issue. When the Vista machine is booted in safe mode, the solution check comes back and pegs the antivirus as the cause of the blue screen. In order to fix it so far, I've had to do a system restore, then remove SEP from the client and leave it off. I'm not a big fan of leaving these workstations without any anti virus solutions. I'm also not sure what's going on, but it started yesterday and now I'm up to 5 machines effected by the same issue. Cant we get some help here symantec?

jrmac's picture
Same issue here as well.  Performed clean installation of Vista Enterprise and SEP 11 MR1.  Reboots with no problems as long as you don't run LiveUpdate.  After running LiveUpdate - Reboot - blue screen.  I have done this three times with the same results.
 
The x64 system installs, runs LiveUpdate, and reboots without issue.
toasale's picture
I had the BSOD's then I uninstalled; went to Safe Mode and edited the registry in depth; booted and reinstalled (11.0.100.1375) and things are very smooth on a personal unit. with many shutdowns/reboots/Live Updates as "tests". Yes, I did perform a chkdsk /F before booting to install.
 
 
Latitude D620 DuoCore 1.66, 1.5gb DDR2, 80gb HD (7,200rpm), Vista Ultimate (without SP1)
 
HTH (Hope this helps)  :smileyvery-happy:
KarbonKopy's picture

I've tried to manually remove the program via the registry, then install it back using the MR1 version, and it worked fine until the 2nd reboot, where it would blue screen with the same fltmgr.sys error we've all been getting. I'm going to assume thats when it probably pulled it's updates from the server. I've had to uninstall the clients from 3 of the 5 machines to get them to stop throwing BSOD's, and holding out hope for a fix asap from Symantec. Anyone had luck with tech support?

skyhawk6's picture
Just thought add just add that I had the exact problem on a Vista laptop and was able to restore it using system restore off a recovery cd my system came with. For now I am running without the protection. Hopefully they will fix this soon.
rlandrau's picture
I've seen this behavion on HP laptops has anyone seen in another brand???
UlrikJPS's picture
My notebook hit my this problem is a Acer Travelmate 3010WTMi.
I have other Acer and HP notebooks with Vista in the company that doesn't have this problem, and those have, exactly like mine, been upgraded from SAV 10.x til SEP MR1.
But I need to say, that my notebook, until now, has not bluescreen today....
Ditrik's picture
Got a similar problem, the only Vista PC we have is the one from where i manage the network and a few days ago it developed bluescreens after updating to SEP 11 MR1. Got BSOD over and over again at reboot. It took me a little while to pin it down. Just to be sure i did a complete reinstall of Vista everything went smooth till i redeployed the SEP client. And then Bingo BSOD again. Can just think one thing, thank god not all our pc's run on vista yet...
 
PC runs fine again after removing the SEP client. though i doubt that will be much of an option for many.
 
skyhawk6's picture
My laptop is a Toshiba Satellite A215-S7428. Like I said before, once I rolled back to the day before I installed 11.0 the notebook has been fine. It seems like its a bad definition file maybe? I used it for about 5 days with 11.0 running and I had no problems for those
5 days.
 
 
KarbonKopy's picture

I have to admit I'm afraid to reboot ANY of the Vista machines on my network right not with SEP MR1 installed. I'm going to go ahead and reboot one of my problem machines see what it does, and post back. I would hope by now that someone would have gotten a solution from support or a Symantec forum mod would stop by and maybe post about the issue?

jrmac's picture
I find the lack of response from Symantec curious.  Also, there wasn't a definition released yesterday.  Hmmm....
KarbonKopy's picture

Just came back and saw ineed as you said jrmac, they did not release a update??? I guess one more day of dealing with BSOD Vista machines......

jrmac's picture
It appears that a new definition update has been released.
 
Has anybody tested to see if this fixes the problem yet?




Message Edited by jrmac on 01-18-2008 09:36 AM

Paul Murgatroyd's picture
We released an updated engine in the definitions earlier this week, unfortunately in a small number of cases this caused Windows Vista to become unstable when running Symantec Endpoint Protection.
 
We have just released updated definitions with a new engine that should fix this problem - the definition release was delayed because of this and to solve some technical issues that occurred during testing.
 
For your reference, the new engine files will show version number 20071.4.1.10.  The scan engine version identified in the User Interface will continue to show as 71.4.0.15.

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

KarbonKopy's picture

Great news Paul! Looked like the server just pulled in some new def files and it's filtered to the clients. For the life of me I can't find where to cehck the engine version numbers...is it server side or client side? I know I have before but am totally blanking on the answer...anyone?

jrmac's picture
Thanks for the update Paul.  The problem seems to be fixed now.
Paul Murgatroyd's picture
SEP no longer shows the "Scan Engine" version as the Scan Engine is actually a combination of the other engines listed in the Troubleshooting\Versions tab.
 
The correct versions for the updated definitions are as follows:
 
Sequence Number: 77625

NAVCE Version: 100118g

Extended Version: 1/18/2008 rev. 7

Just received this too:

Update: Eraser Engine update - 01/18/07

Symantec has released an Eraser Engine update today, January 18th US Pacific Time. This update replaces a planned AV Engine update that was announced in a previous Platinum Bulletin. It addresses an issue seen by some customers using Symantec Endpoint Protection 11 on Windows Vista which in rare circumstances could cause the system to become unstable. Following this update, the AV Engine and Eraser will have the following versions:

naveng32.dll: 71.4.0.23

ccEraser.dll: 107.4.1.2

hth

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

skyhawk6's picture
I have reinstalled SEP. Good news is no more BSOD's however on the status page I get an indication that everything is okay but by the Definitions remark I get nothing under the Antivirus and Antispyware Protection. Additionally, under the proactive threat protection I get "Waiting for updates". I did a live update but no joy. Rebooted a few times and still looks the same. Under the Network Threat Protection the definition is Wednesday January 16 2008 r2
 
Anyone else have this?
 
toasale's picture
Wondering if the "r" means "release"?  :smileyhappy:
guidoelia's picture
A thing I learned since many years with Symantec antivirus.
Don't upgrade versions !
Remove the old, reboot,install the new.
I know is a pita
guidoelia's picture
A thing I learned since many years with Symantec antivirus.
Don't upgrade versions !
Remove the old, reboot,install the new.
I know is a pita
hamiltonguy's picture

Hi All,
This appears to be happening now at my workplace.  Aug 19 2009 - 10 computer - all running vista sp1/sp2 are experiencing this issue today.  No other updates have been applied recently.  Appears to blue screen with FLTMGR.sys, rebooting seems to fix the issue temporarily.  Using SEP11.

11.0.4000.2295

Another bad definition.  Can someone from Symantec investigate?

hamiltonguy's picture

Hi All,
My mistake we have narrrows down the issue as follows - Viista Clients running SEP 11 11.0.1000.1375.  Vista users that are using 11.0.4000.2295 seem to be fine.

CYC's picture

Hi Hamiltonguy,

This also happened to us just this morning on the Vista machines...FLTMGR.SYS bluescreen.  I was able to fix this by booting into safe mode, then disabling all the Symantec services and putting them into the "manual" mode.

Then, I was able to boot normally into Windows and restarted each of the Symantec services manually.  Luckily, the PC didn't crash.  I then ran the Symantec Update, it then downloaded and installed "new software".  After that, I put the services back into automatic mode and rebooted a couple of times without any problems.

The PC's had version 11.0.1000...