Endpoint Protection

Hallo zusammen,

 

auf unseren TS (mit W2K3 Enterprise) haben wir sporadisch Reboots mit folgenden Bluescreen/Bugcheck:
 

*******************************************************************************

*                                                                             *

*                        Bugcheck Analysis                                    *

*                                                                             *

*******************************************************************************

 

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)

This is a very common bugcheck.  Usually the exception address pinpoints

the driver/function that caused the problem.  Always note this address

as well as the link date of the driver/image that contains this address.

Some common problems are exception code 0x80000003.  This means a hard

coded breakpoint or assertion was hit, but this system was booted

/NODEBUG.  This is not supposed to happen as developers should never have

hardcoded breakpoints in retail code, but ...

If this happens, make sure a debugger gets connected, and the

system is booted /DEBUG.  This will let us see why this breakpoint is

happening.

Arguments:

Arg1: c0000005, The exception code that was not handled

Arg2: bf8a247e, The address that the exception occurred at

Arg3: f2e54a90, Trap Frame

Arg4: 00000000

 

Debugging Details:

------------------

 

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

 

*************************************************************************

***                                                                   ***

***                                                                   ***

***    Your debugger is not using the correct symbols                 ***

***                                                                   ***

***    In order for this command to work properly, your symbol path   ***

***    must point to .pdb files that have full type information.      ***

***                                                                   ***

***    Certain .pdb files (such as the public OS symbols) do not      ***

***    contain the required information.  Contact the group that      ***

***    provided you with these symbols if you need this command to    ***

***    work.                                                          ***

***                                                                   ***

***    Type referenced: nt!_KPRCB                                     ***

***                                                                   ***

*************************************************************************

*************************************************************************

***                                                                   ***

***                                                                   ***

***    Your debugger is not using the correct symbols                 ***

***                                                                   ***

***    In order for this command to work properly, your symbol path   ***

***    must point to .pdb files that have full type information.      ***

***                                                                   ***

***    Certain .pdb files (such as the public OS symbols) do not      ***

***    contain the required information.  Contact the group that      ***

***    provided you with these symbols if you need this command to    ***

***    work.                                                          ***

***                                                                   ***

***    Type referenced: nt!_KPRCB                                     ***

***                                                                   ***

*************************************************************************

 

FAULTING_MODULE: 80800000 nt

 

DEBUG_FLR_IMAGE_TIMESTAMP:  4bc7bdeb

 

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in "0x%08lx" verweist auf Speicher in "0x%08lx". Der Vorgang  "%s" konnte nicht auf dem Speicher durchgef hrt werden.

 

FAULTING_IP:

win32k+a247e

bf8a247e f6461e40         test    byte ptr [esi+0x1e],0x40

 

TRAP_FRAME:  f2e54a90 -- (.trap fffffffff2e54a90)

ErrCode = 00000000

eax=00000001 ebx=00000000 ecx=0000029d edx=00000001 esi=00000000 edi=bbb69dc0

eip=bf8a247e esp=f2e54b04 ebp=f2e54b1c iopl=0         nv up ei ng nz na po nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010286

win32k+0xa247e:

bf8a247e f6461e40         test   byte ptr [esi+0x1e],0x40 ds:0023:0000001e=??

Resetting default scope

 

DEFAULT_BUCKET_ID:  DRIVER_FAULT_SERVER_MINIDUMP

 

BUGCHECK_STR:  0x8E

 

LAST_CONTROL_TRANSFER:  from bf84a565 to bf8a247e

 

STACK_TEXT: 

WARNING: Stack unwind information not available. Following frames may be wrong.

f2e54b1c bf84a565 00000000 bbb69dc0 00000000 win32k+0xa247e

f2e54b78 bf83c7cd 00000000 f2e54be0 bf8b7f60 win32k+0x4a565

f2e54b84 bf8b7f60 bd915088 bbc29c98 bbc29c18 win32k+0x3c7cd

f2e54be0 bf8b6bb6 00000001 f2e54c08 bf8b7a13 win32k+0xb7f60

f2e54bec bf8b7a13 8c29bb10 00000001 00000000 win32k+0xb6bb6

f2e54c08 8094c3d2 8c29bb10 00000001 8c29bb10 win32k+0xb7a13

f2e54c94 8094c765 00000000 00000000 8c29bb10 nt+0x14c3d2

f2e54cac 8094cab7 8c29bb10 00000000 00000001 nt+0x14c765

f2e54cd0 f6a786d9 fffffffe 00000000 8ce4ba60 nt+0x14cab7

f2e54d40 8ce4ba7e e5042f68 fffffffe 00000000 SYMEVENT+0x146d9

f2e54d54 808897ec fffffffe 00000000 00f9ffdc 0x8ce4ba7e

f2e54d64 7c94845c badb0d00 00f9ffd4 00000000 nt+0x897ec

00f9ffdc 00000000 00000000 00000000 00000000 0x7c94845c

 

 

FOLLOWUP_IP:

SYMEVENT+146d9

f6a786d9 ??               ???

 

SYMBOL_STACK_INDEX:  9

 

FOLLOWUP_NAME:  MachineOwner

 

SYMBOL_NAME:  SYMEVENT+146d9

 

MODULE_NAME:  SYMEVENT

 

IMAGE_NAME:  SYMEVENT.SYS

 

STACK_COMMAND:  .trap fffffffff2e54a90 ; kb

 

BUCKET_ID:  WRONG_SYMBOLS

 

Followup: MachineOwner

---------

Kennt wer dieses Problem oder eine Lösung?

 

Mit freundlichen Grüßen

IT-RE

 

what is the SEP client version?

can you try upgrading symevent.sys?

Updating Symevent files for Symantec Endpoint Protection 11.x client

http://www.symantec.com/docs/TECH94742

if the issue still exist, open a tocket with support

 

Hello,

I agree with Pete's advice above.

This is a known problem in the Server Operating System's Win32k.sys driver.

Please see Microsoft's Technet article  blogs.technet.com/b/dip/archive/2011/10/12/win2003sp2-stop-0x8e-in-win32k-xxxredrawwindow-0x4c.aspx for information.

The Technet article links to Security Update MS11-077 which contains a fix for this problem. See: support.microsoft.com/kb/2567053

Reference:

Blue Screen of Death (BSOD) Crash with STOP Error 0x8E After Installing Symantec Endpoint Protection

http://www.symantec.com/docs/TECH181336

and Similar thread:

https://www-secure.symantec.com/connect/forums/symeventsys-stop-error-0x7f-windows-server-2003

Hope that helps!!

Hello,

many Thanks for your Suggestions.

I´ve already installed the Microsoft Hotfix (kb2567053).

Tonight I upgrade the symevent.sys over our Software Distribution and take a look in the next days for Crashes. Hope thats the cause.

I report the solution if i have it.

Thank you...

 

Good Morning,

any other ideas? We have furthermore Crashes...
The Client Version is 11.0.6200.754.

Thanks

suggest to open support ticket and provide the dump for analysis . Did you updates the symevent?

We have a solution!

http://support.microsoft.com/kb/840342/EN-US

Thanks for your Support.