Endpoint Protection Small Business Edition

Hi everybody,

I'm having problems with Symantec. I have installed them in computers with Windows 7 but when I try to open a program it give me a Blue Screen. I have tested every component of Symantec (SONAR, AntiSpyware) but the problem is with the Antivirus. When i turn it off, the program works fine but when is on, it crashes always. The only one problem that i have is that BSOD doesn't generates a Dump file.

I tried many things but nothing works.

Please I need a big help :(

Before we're able to help, please could you post the exact version of SEP that is installed on Windows 7? And when was the last time you had the Windows 7 machine updated via Windows Update?

Is this with SEP 14? Or what is the exact version of SEP you're running? What OS?

Attach the BSOD here for review, if you can.

Hi,

Sorry for not answering before. My SEP version is 12.05.0800. The computers are Windows 7 Proffesional SP1.

Here is the BSOD:

Crash Dump Analysis provided by OSR Open Systems Resources, Inc. (http://www.osr.com)
Online Crash Dump Analysis Service
See http://www.osronline.com for more information
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.23569.amd64fre.win7sp1_ldr.161007-0600
Machine Name:
Kernel base = 0xfffff800`02c1f000 PsLoadedModuleList = 0xfffff800`02e61730
Debug session time: Mon Dec  5 11:22:17.530 2016 (UTC - 5:00)
System Uptime: 0 days 0:03:31.732
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY (fc)
An attempt was made to execute non-executable memory.  The guilty driver
is on the stack trace (and is typically the current instruction pointer).
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: fffff8a008cce080, Virtual address for the attempted execute.
Arg2: a80000015281d963, PTE contents.
Arg3: fffff88007b14600, (reserved)
Arg4: 0000000000000002, (reserved)

Debugging Details:
------------------

TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\modclass.ini, error 2

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

BUGCHECK_STR:  0xFC

PROCESS_NAME:  System

CURRENT_IRQL:  0

TRAP_FRAME:  fffff88007b14600 -- (.trap 0xfffff88007b14600)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff8a001145d00 rbx=0000000000000000 rcx=fffffa8006c69d10
rdx=fffff8a008cce080 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8a008cce080 rsp=fffff88007b14798 rbp=0000000000000000
 r8=00000000c00000bb  r9=0000000000000000 r10=fffff88004ac0ac0
r11=fffff88007b147f8 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na pe nc
fffff8a0`08cce080 405d            pop     rbp
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff80002d0bf86 to fffff80002c8f400

STACK_TEXT:  
fffff880`07b14498 fffff800`02d0bf86 : 00000000`000000fc fffff8a0`08cce080 a8000001`5281d963 fffff880`07b14600 : nt!KeBugCheckEx
fffff880`07b144a0 fffff800`02c8d52e : 00000000`00000008 fffff8a0`08cce080 00000000`c0000000 fffffa80`06c69c60 : nt! ?? ::FNODOBFM::`string'+0x3b8cc
fffff880`07b14600 fffff8a0`08cce080 : fffff880`01e06c40 fffff880`01e04110 fffffa80`06c95f68 fffffa80`06c95f28 : nt!KiPageFault+0x16e
fffff880`07b14798 fffff880`01e06c40 : fffff880`01e04110 fffffa80`06c95f68 fffffa80`06c95f28 fffffa80`06c95f28 : 0xfffff8a0`08cce080
fffff880`07b147a0 fffff880`01e060d5 : fffffa80`06c69c60 00000000`00000001 fffffa80`09b2d8f0 fffffa80`06d3bdc0 : mup!MupCallSurrogatePrePost+0x120
fffff880`07b14800 fffff880`01e01a60 : fffffa80`06a31b50 00000000`00000004 fffffa80`09b2d8f0 fffffa80`06c69c60 : mup!MupStateMachine+0xc5
fffff880`07b14850 fffff800`02c92dc1 : fffffa80`06a31c6b fffff880`04abf110 00000000`00000000 00000000`00000000 : mup!MupiUncProviderCompletion+0x94
fffff880`07b14890 fffff880`04aa6b81 : 00000000`c00000bb fffffa80`06bccd01 fffffa80`06a31b50 00000000`00000000 : nt!IopfCompleteRequest+0x341
fffff880`07b14980 fffff880`04aa78f1 : fffff880`04ac04a8 fffffa80`0ea159c0 00000000`c00000bb fffffa80`0ea159c0 : rdbss!RxCompleteRequestEx+0x301
fffff880`07b14a60 fffff880`04aab5d2 : fffff880`04ac04a8 00000000`c00000bb fffffa80`0ea159c0 00000000`00000297 : rdbss!RxLowIoCompletionTail+0x125
fffff880`07b14aa0 fffff880`069b1e95 : fffff880`04ac04a8 00000000`c00000bb 00000000`00000080 fffff800`02c50bf1 : rdbss!RxLowIoCompletion+0x82
fffff880`07b14ae0 fffff880`06936084 : fffff880`04ac04a8 00000000`00000080 fffff880`04abf110 fffffa80`00000001 : mrxsmb20!Smb2Fsctl_Finalize+0xc9
fffff880`07b14b10 fffff880`04aa51b1 : fffff880`04ac04a8 fffff880`04ac04a8 00000000`00000001 fffffa80`06b91b98 : mrxsmb!SmbCepFinalizeExchange+0x44
fffff880`07b14b40 fffff800`02f2a236 : fffff880`04ac04a8 fffff880`04ac08f8 fffff880`07b14c00 fffffa80`0e45b000 : rdbss!RxpWorkerThreadDispatcher+0x1a1
fffff880`07b14c00 fffff800`02c80706 : fffff880`03565180 fffffa80`0e45b040 fffff880`0356ffc0 00000000`ffffffff : nt!PspSystemThreadStartup+0x5a
fffff880`07b14c40 00000000`00000000 : fffff880`07b15000 fffff880`07b0f000 fffff880`07b14830 00000000`00000000 : nt!KxStartSystemThread+0x16


STACK_COMMAND:  kb

FOLLOWUP_IP: 
mup!MupCallSurrogatePrePost+120
fffff880`01e06c40 8bf8            mov     edi,eax

SYMBOL_STACK_INDEX:  4

SYMBOL_NAME:  mup!MupCallSurrogatePrePost+120

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: mup

IMAGE_NAME:  mup.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4a5bc201

FAILURE_BUCKET_ID:  X64_0xFC_mup!MupCallSurrogatePrePost+120

BUCKET_ID:  X64_0xFC_mup!MupCallSurrogatePrePost+120

Followup: MachineOwner
---------

That's a fairly old version of SEP. Have you tried with the latest 12.1.6 MP6 or even SEP 14?

Could you give me a link with a guide about how to do that? I means update 12.0 to 12.1.6 or 14?

You have two choices, you can migrate to the latest version of 12.1 which is 12.1.6 MP6. The migration guide is here:

Upgrade or migrate to Endpoint Protection 12.1.6 - 12.1.6 MP6

SEP 14 came out a little over a month ago and you should have gotten an upgrade email with your new serial number. I would suggest going to this version, if you can. The migration guide is here:

Upgrade or migrate to Endpoint Protection 14 

There is additional info on upgrading to 14 here:

https://www.symantec.com/connect/blogs/upgrading-sep-14-what-you-need-know 

I'm sorry, I think that I gave you a wrong version of SEP and I can't find the current version. Could you tell me where can I find it? >_<

Open your SEP client and go to Help >> About

It will show right along the top.

The only one version that I can see is:

Symantec.cloud - Agent 3.00.01.2705

Symantec.cloud - Endpoint Protection NIS-22.8.0.50

It looks like you're running SEP Small Business version, is that correct? It will tell you on the GUI.

Yes you are right. That version is installed in every PC and I'm having issues with it

Is it specifically one PC or every PC? What program is this BSOD'ing on and have you tried an exception?

Each PC in a specific group. They use a specific program but when they execute it, blue screen appears. If I turn off the antivirus, the program works. If I turn it on the blue screen appears

Try adding this program to the exception list.

I did it. I added every one path to the file and each folder and subfolder. But nothing works. Always blue screen.

Then I would sggest engaging support so they can remotely access a problematic machine and start root cause analysis.

The only one question that I have is:

Why does the blue screen always refer to the network card?

You could also take the immediate action in this technote before going to extremes:

https://support.symantec.com/en_US/article.TECH236370.html

Hope that helps!