Endpoint Protection

Hi.

When we got Network-Based Protection update yesterday several servers caused BSOD. Looked like specific servers with heavy network traffic.

While analyzing a memory dump we could see this was caused by idsvia64.sys which was included in the latest release update 137 (20170506.025)

When going back to .021 everything seems stable again.

Anyone else having similar issues ?

/ Torsten

Haven't seen this yet on our assets. What OS's were affected?

I'd siggest getting a support case open and submit the dump so they can begin root cause analysis. They may need other advanced logs as well.

We saw it on Windows 2012 R2 and Windows 2008 R2

Same thing here. Also with SEP 14 MP1 and SEP 12.1.7. Rolled back the definitions where possible, some servers were caught in a BSOD boot loop tho'.

Seems to be related to this update:

http://www.symantec.com/docs/TECH239793

In any event, I'd get cases opened with support so they can get on top of this.

Hi dynamitten and other stakeholders,

I can confirm that this is an issue that Symantec is currently investigating with high priority.  You may wish to specify an earlier IPS release to use in your environment until the investigation is complete:

How to Backdate Virus Definitions in Symantec Endpoint Protection Manager
http://www.symantec.com/docs/TECH102935

An update is available in this document: please do subscribe!

Bug Check 0xD1 on Endpoint Protection systems that received the CIDS 16.1.1.50 definitions update
 http://www.symantec.com/docs/TECH240738

Mick,

Does Symantec plan to temporarily suspend the global distribution of this content until the issue is resolved?

I am on a call with support right now, we are seeing it on our SEPM as well as another highly utilized critical system. Both are running 2012 R2. Will update this if I when they figure out how they want me to proceed.

Hello all,

Please run LiveUpdate to resolve the issue.  Network and Host Exploit Mitigation definitions of 5/6/17 r26 will contain a rolled-back IPS driver.

The KB article has been updated:

http://www.symantec.com/docs/TECH240738

Hi dynamitten,

Just a ping to confirm if the currently-available definitons are working with your environment?  Has the BSOD issue been resolved? (This thread is still marked "needs solution.")

Hello all,

problems are still existing on our site.

Hi MJentzsch,

If you are seeing a BSOD even with the latest IPS signatures, please colelct a memory dump and contact Technical Support.  They will be able to help investigate the matter.

@Mick. Does this mean that a working 16.X IPS defintion is pushed out or did Symantec just roll back to 15.x?

This may be relevant:

Bug Check 0xD1 on Endpoint Protection systems that received the CIDS 15.2.3.14 definitions update
http://www.symantec.com/docs/TECH240801

It's a rolled back driver.  15.

found problem when start line.exe ( linepc) windows 10 pro will bosd.

when check dump caused by idsvia64.sys

I figured I'd post this here, as I similar problems but had to roll back SONAR Heuristcs to May, 03, 2017, not the IPS defs to prevent the crash. Working with support, they pointed me to the following and I Unchecked Network data that helps Symantec recommend reductions to your organization's network attack surface and the BSOD stopped.

The crash occured when a application residing on the network was invoked at the client.

Crash with error DRIVER_IRQL_NOT_LESS_OR_EQUAL (IDSVia64.sys) on Endpoint Protection systems
https://support.symantec.com/en_US/article.TECH240801.html

It's now June 5, I have the same problem.  I've had a case open with little, not useful, ineffective level one support.   Case # 12497699. 

The product worked for two days last week after an update.  It's broken Version 14.0.1904.

My "level one " rep first off:

1. Generally denied this was a common issue. (idsvia64.sys)

2. Had me do all sorts of turn this on/off etc

3. Had me roll back to version 12 (oh that doesn't work in Windows 10)

and called me multiple times outside of East coast working hours.

At one point I specifically said "I want a level 2 engineer" and got a "no no I can help you".

The fact that I'm posting this on a public board should indicate just how ineffective my support has been and just how frustrated I am.  Three users thankfully no more who can't run our ERP on their Windows 10 computers since instant  BSOD.

What I do from here I have no idea..., I can't get someone from Symantec above level one and so far no one has a clue what to do that works and stays working.

This is an unmitigated disaster from my point of view from my "corporate" anti virus vendor.

14 MP2 came out on Friday (6/2):

http://www.symantec.com/docs/INFO4375

There was an update to this specific driver. I can't say it will fix your issue but I guess it's worth a shot at this point since support has been a non-factor.

Do you have an SE who can get this escalated for you? It's usually not this difficult.

OH my it WAS that difficult with the ticket I mentioned.  I finally opened a new one and am downloading MP2.  What a profound stupid cluster etc for Symantec.  Lets see your ill-tested product blue screened various win 10 workstations and was at "random" deadlocking my servers.

Zero quality control would be my analysis of this.  This product (the faults with MP1) should never have hit the field and the fact that it DID and they had hundreds of complaints (it appears) does NOT paint Symantec in anything but an incredibly careless light.

Hopefully MP2 will fix FIX the issue.  This seriously shakes my confidence in this product.