Endpoint Protection

Since today we have a few Windows XP Pro SP3 that receive a Bluescreen when they start the Internet Explorer or Firefox.

I already tried disabling all addons, starting firefox in safe-mode oder iexplore /extoff, deleting the whole cache but it was always the same: BSOD. Only when I Uninstall SEP and Live Update it will not appear.

Here is the Crash Dump:


========================================================================================= 
=========================================================================================
========================================================================================= 
=========================================================================================

 

Microsoft (R) Windows Debugger Version 6.4.0007.2

Copyright (c) Microsoft Corporation. All rights reserved.

　

Loading Dump File [D:\admin\Malte\temp\HansBert_Mini041510-01.dmp]

Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*C:\Symbols*http://msdl.microsoft.com/download/symbols

Executable search path is:

Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible

Product: WinNt, suite: TerminalServer SingleUserTS

Built by: 2600.xpsp_sp3_gdr.091208-2036

Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720

Debug session time: Thu Apr 15 11:48:04.748 2010 (GMT+2)

System Uptime: 0 days 0:08:37.406

Loading Kernel Symbols

.......................................................................................................................................................

Loading unloaded module list

..........

Loading User Symbols

Unable to load image usbaieiu.sys, Win32 error 2

*** WARNING: Unable to verify timestamp for usbaieiu.sys

*** ERROR: Module load completed but symbols could not be loaded for usbaieiu.sys

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, 0, b43a5664, 0}

Unable to load image SysPlant.sys, Win32 error 2

*** WARNING: Unable to verify timestamp for SysPlant.sys

*** ERROR: Module load completed but symbols could not be loaded for SysPlant.sys

Probably caused by : usbaieiu.sys ( usbaieiu+10f8 )

Followup: MachineOwner

---------

0: kd> !analyze -v

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)

This is a very common bugcheck. Usually the exception address pinpoints

the driver/function that caused the problem. Always note this address

as well as the link date of the driver/image that contains this address.

Some common problems are exception code 0x80000003. This means a hard

coded breakpoint or assertion was hit, but this system was booted

/NODEBUG. This is not supposed to happen as developers should never have

hardcoded breakpoints in retail code, but ...

If this happens, make sure a debugger gets connected, and the

system is booted /DEBUG. This will let us see why this breakpoint is

happening.

Arguments:

Arg1: c0000005, The exception code that was not handled

Arg2: 00000000, The address that the exception occurred at

Arg3: b43a5664, Trap Frame

Arg4: 00000000

Debugging Details:

------------------

　

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in "0x%08lx" verweist auf Speicher in "0x%08lx". Der Vorgang "%s" konnte nicht auf dem Speicher durchgef hrt werden.

FAULTING_IP:

+0

00000000 ?? ???

TRAP_FRAME: b43a5664 -- (.trap ffffffffb43a5664)

ErrCode = 00000010

eax=00000000 ebx=804fff30 ecx=83130001 edx=83120000 esi=00000000 edi=00000000

eip=00000000 esp=b43a56d8 ebp=b43a5738 iopl=0 nv up ei pl zr na po nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246

00000000 ?? ???

Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

LAST_CONTROL_TRANSFER: from b74e40f8 to 00000000

STACK_TEXT:

b43a56d4 b74e40f8 000009a8 00000001 00000000 0x0

WARNING: Stack unwind information not available. Following frames may be wrong.

b43a5738 b74e8a67 00000cf4 036e7669 e19d7970 usbaieiu+0x10f8

b43a5aa0 805d047f 00001694 00000cf4 00000001 usbaieiu+0x5a67

b43a5be4 805d10de 031bf640 001f03ff 00000000 nt!PspCreateThread+0x3a7

b43a5c5c b74aa8b0 031bf640 001f03ff 00000000 nt!NtCreateThread+0xfc

b43a5d10 8aae9d1e e3df6c30 031bf640 001f03ff SysPlant+0x48b0

b43a5d3c 8054163c 031bf640 001f03ff 00000000 0x8aae9d1e

b43a5d3c 7c91e514 031bf640 001f03ff 00000000 nt!KiFastCallEntry+0xfc

031bf26c 00000000 00000000 00000000 00000000 0x7c91e514

　

FOLLOWUP_IP:

usbaieiu+10f8

b74e40f8 ?? ???

SYMBOL_STACK_INDEX: 1

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: usbaieiu+10f8

MODULE_NAME: usbaieiu

IMAGE_NAME: usbaieiu.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4bbed378

STACK_COMMAND: .trap ffffffffb43a5664 ; kb

FAILURE_BUCKET_ID: 0x8E_usbaieiu+10f8

BUCKET_ID: 0x8E_usbaieiu+10f8

Followup: MachineOwner

---------

========================================================================================= 
=========================================================================================
========================================================================================= 
=========================================================================================



Any help would be nice.

Best Regards
Malte
 

　

I saw areference to sysplant.sys in your log.  We had some bluescreens for this too.  It's related to the Application and Device Control Policy in SEP.  If you withdraw the policy from the SEPM it goes away.  Or just on one or two clients, you could disable Network Threat Protection (right click the System Tray icon, and choose Disable Netwotk Threat Protection) and the problem should go away.

I believe your version of SEP was 11.0 RU5.  Earlier versions or the most recent one that was released yesterday 11.0 RU6 should fix this where you can have the Application and Device Control policy enable for clients and will not cause these same blue screens.  It all has to do with the base memory address for the Sysplant.sys driver.

Hoep this helps.

Here's a link to Symantec's write-up of it.
http://service1.symantec.com/support/ent-security.nsf/docid/2009110612204948?Open&seg=ent

Hello,
Which version do you use? did you install threat proactive  technology and network threat technology or only antivirus and antispy?

Best Regards.
Fatih

The latest version of Symantec endpoint has fixes to the mentioned issue. In case you are using the old version you can download the latest version from

https://fileconnect.symantec.com/licenselogin.jsp?localeStr=en_US

Hi blenahanm
Thanks for your response. Unfortunately I cannot test it rightnow but I will do it tomorow.
Currently we have an application control policy in test-mode but I think test-mode or not doesn't matter in this case or?

The involved machines uses the 11.0.4202.75 Client Version and have all features: Antivirus and Antispyware Protection, Proactive Threat Protection and Network Threat Protection



Malte
 

Thanks to all.

RU6 is downloaded and I will install it today in the evening.
I will give you an update tomorow when it is been fixed with the RU6.


Malte

Whitedrawing the policy fixed the issue.
Thansk a lot.

Did you have this problem even after upgrading to RU6?  RU6 is supposed to address the problem with App & Device Control Policy, so I am just wondering if it did.