Endpoint Protection

1st post WOOHOO!

Running SEP 11.0.4014.26 MR4
Added a couple XP64 Bit workstation clients to the manager. Deployed the 64Bit SEP client to the systems. Before deploying the client systems have been stable for over 3 months.
Client installs and the logs look fine. Updates and communication happen between server and client everything looks good for awhile and then it happens BSOD randomly.
Once it starts though I can count on a couple through out the day. I have read many forums and found instances of Vista64 and BSOD.
Tried some of the recommendations of manually installing the client, running live update on the client direct out to the Symantec servers, etc. Problem still continues.

I have removed the units from the manager and uninstalled the 64Bit client software portion. All is as it should have been and the systems are stable again for another week. Decided to install the client again and same BSOD. I have since uninstalled the client for the 3rd time.
Anyone with suggestions? There is no really good BSOD SEP threads or fixes.
Could just be a poor 64Bit application in the end.

The XP 64 Bit systems I have are all patched and updated, etc............

Nerf,

Do you have a crash dump saved from the BSOD? If you dont, save a full dump and then let me know when you have it.

 

JimW

Hi Jim,

I have the last 2 BSOD mini dumps. For full dumps I would have to reinstall SEP again, reconfig dumps and wait for crash again. I can do this if you do not see anything in here.
I have opened the dumps as well. I have 2 dumps that are the consistent crashes when SEP is installed.
Thanks for having a looky......... :-)

How do you attach files to this post? Or do you have a place for me to send them?

Nerf

Since I could not  upload a file I just copied the dumps here.
These are the 2 consistent  dumps following the BSOD each time
.
DUMP NUMBER 1 - Refers to WpsHelper a SEP item I believe.

Use !analyze -v to get detailed debugging information.

BugCheck D1, {fffffade9a5daa64, 2, 0, fffffadf7b47bce2}

Unable to load image WpsHelper.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for WpsHelper.sys
*** ERROR: Module load completed but symbols could not be loaded for WpsHelper.sys
Probably caused by : WpsHelper.sys ( WpsHelper+4ce2 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: fffffade9a5daa64, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffffadf7b47bce2, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS: fffffade9a5daa64

CURRENT_IRQL: 2

FAULTING_IP:
WpsHelper+4ce2
fffffadf`7b47bce2 443b08 cmp r9d,dword ptr [rax]

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xD1

PROCESS_NAME: iexplore.exe

TRAP_FRAME: fffffadf88d45170 -- (.trap 0xfffffadf88d45170)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffffade9a5daa64 rbx=0000000000000000 rcx=0000000000000104
rdx=fffffadf994d0824 rsi=0000000000000000 rdi=0000000000000000
rip=fffffadf7b47bce2 rsp=fffffadf88d45308 rbp=fffffadf88d45450
r8=fffffadf9c190568 r9=00000000000001d5 r10=0000000000000104
r11=fffffadf88d45450 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz ac pe cy
WpsHelper+0x4ce2:
fffffadf`7b47bce2 443b08 cmp r9d,dword ptr [rax] ds:59c8:fffffade`9a5daa64=????????
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff8000102e5b4 to fffff8000102e890

STACK_TEXT:
fffffadf`88d44fe8 fffff800`0102e5b4 : 00000000`0000000a fffffade`9a5daa64 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffffadf`88d44ff0 fffff800`0102d547 : 00000001`00000001 00000000`33198285 fffffadf`88d45200 fffffadf`00000001 : nt!KiBugCheckDispatch+0x74
fffffadf`88d45170 fffffadf`7b47bce2 : fffffadf`7b47ea90 fffffadf`9c190568 00000000`00000000 00000000`00000000 : nt!KiPageFault+0x207
fffffadf`88d45308 fffffadf`7b47ea90 : fffffadf`9c190568 00000000`00000000 00000000`00000000 fffffadf`9a552690 : WpsHelper+0x4ce2
fffffadf`88d45310 fffffadf`9c190568 : 00000000`00000000 00000000`00000000 fffffadf`9a552690 fffffadf`88d45450 : WpsHelper+0x7a90
fffffadf`88d45318 00000000`00000000 : 00000000`00000000 fffffadf`9a552690 fffffadf`88d45450 fffffadf`7b47c558 : 0xfffffadf`9c190568


STACK_COMMAND: kb

FOLLOWUP_IP:
WpsHelper+4ce2
fffffadf`7b47bce2 443b08 cmp r9d,dword ptr [rax]

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: WpsHelper+4ce2

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: WpsHelper

IMAGE_NAME: WpsHelper.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 49b5dc09

FAILURE_BUCKET_ID: X64_0xD1_WpsHelper+4ce2

BUCKET_ID: X64_0xD1_WpsHelper+4ce2

Followup: MachineOwner
---------

DUMP NUMBER 2 - No reference to any process.

Use !analyze -v to get detailed debugging information.

BugCheck 109, {a3a03a382a53d4fc, 0, 279301ee4cbcde13, 101}

Probably caused by : Unknown_Image ( ANALYSIS_INCONCLUSIVE )

Followup: MachineOwner
---------

2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

CRITICAL_STRUCTURE_CORRUPTION (109)
This bugcheck is generated when the kernel detects that critical kernel code or
data have been corrupted. There are generally three causes for a corruption:
1) A driver has inadvertently or deliberately modified critical kernel code
or data. See http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx
2) A developer attempted to set a normal kernel breakpoint using a kernel
debugger that was not attached when the system was booted. Normal breakpoints,
"bp", can only be set if the debugger is attached at boot time. Hardware
breakpoints, "ba", can be set at any time.
3) A hardware corruption occurred, e.g. failing RAM holding kernel code or data.
Arguments:
Arg1: a3a03a382a53d4fc, Reserved
Arg2: 0000000000000000, Reserved
Arg3: 279301ee4cbcde13, Failure type dependent information
Arg4: 0000000000000101, Type of corrupted region, can be
0 : A generic data region
1 : Modification of a function or .pdata
2 : A processor IDT
3 : A processor GDT
4 : Type 1 process list corruption
5 : Type 2 process list corruption
6 : Debug routine modification
7 : Critical MSR modification

Debugging Details:
------------------


BUGCHECK_STR: 0x109

CUSTOMER_CRASH_COUNT: 2

DEFAULT_BUCKET_ID: DRIVER_FAULT

PROCESS_NAME: System

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from 0000000000000000 to fffff8000102e890

STACK_TEXT:
fffffadf`90a7f838 00000000`00000000 : 00000000`00000109 a3a03a38`2a53d4fc 00000000`00000000 279301ee`4cbcde13 : nt!KeBugCheckEx


STACK_COMMAND: kb

SYMBOL_NAME: ANALYSIS_INCONCLUSIVE

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Unknown_Module

IMAGE_NAME: Unknown_Image

DEBUG_FLR_IMAGE_TIMESTAMP: 0

BUCKET_ID: BAD_STACK

Followup: MachineOwner
---------

So all you dump analysis experts do you have any suggestions?

Thanks
Nerf

Hi Nerf

I went ahead and moved  your thread over from the SEP 12 Small Business Forums. That is a seperate product from SEP 11. You will most likey find quicker answers here to your problems. Thanks.

Grant-