Blue screen error in Eraser engine on Windows 2000 after August 19, 2013 update

book

Article ID: 158314

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

After updating a Symantec Endpoint Protection client on Windows 2000 to the definitions dated August 19, 2013, revision 17 or later, while shutting down the computer, a blue screen error occurs.

 

One of the following errors may occur when shutting down

"STOP: c0000263 Unknown Hard Error"

"STOP: c0000263 {Driver Entry Point Not Found}

The \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys device driver could not locate the entry point PsGetContextThread in driver ntoskrnlexe."

 

After restarting the computer, the following error message appears in the Windows Event Viewer:

"EraserUtilDrv 11310.sys device driver could not locate the entry point PsGetContextThread in driver driver ntoskrnl.exe"

Cause

This problem is related to the ERASER engine update in the August 19 rev. 17 definitions update. The update incremented the ERASER Engine file version to 113.1.0.101 or later for ccEraser.dll and .sys files.

Resolution

Symantec has rolled back the Eraser engine that causes this issue. The definitions that contain the rollback are dated 20 August 2013, revision 19, sequence number 146721. Symantec recommends that you update your virus definitions to this version or later.

 

If the August 19 rev. 17 definitions are on a client, do one of the following to solve the problem, depending on the state of the client:

 

 

If the client has not been restarted, update the definitions

  1. From Symantec Endpoint Protection Manager, click Admin.
  2. In the left pane, select Servers.
  3. Under View Servers, select a site to update.
  4. Under Tasks, click Download LiveUpdate Content, and then click Download.
    The clients receive the new definitions as they check in with the manager.
  5. Confirm that the content version on the client is August 20, 2013 rev. 19 or later.
 
 

If the client has been restarted, and is experiencing blue screen errors, disable the Eraser driver and update the definitions       

  1. Start the computer in Safe Mode.
  2. In Device Manager, click View > Show hidden devices.
  3. Click Non-Plug and Play Drivers, then right-click Symantec Eraser Control Driver and click Properties.
  4. Under Startup Type, select Disabled, and then click OK.
  5. Restart the client computer.
  6. Confirm that the computer starts correctly in normal mode.
  7. From Symantec Endpoint Protection Manager, click Admin.
  8. In the left pane, select Servers.
  9. Under View Servers, select a site to update.
  10. Under Tasks, click Download LiveUpdate Content, and then click Download.
    The clients receive the new definitions as they check in with the manager.
  11. Confirm that the content version on the client is August 20, 2013 rev. 19 or later.
  12. In Device Manager, click View > Show hidden devices.
  13. Click Non-Plug and Play Drivers, then right-click Symantec Eraser Control Driver and click Properties.
  14. Under Startup Type, select System, and then click OK.
  15. Restart the client computer.
  16. Confirm that the computer starts correctly in normal mode.

 

 

If you are unable to update the definitions, you can backdate the definitions to work around the problem. Do one of the following, depending on the state of the client:

If the client has not been restarted, backdate the definitions

  1. From Symantec Endpoint Protection Manager, click Policies.
  2. Under View Policies, click LiveUpdate.
  3. On the LiveUpdate Content tab, select the LiveUpdate content policy.
  4. In the LiveUpdate Content pane, under Virus and spyware definitions, check Select a revision, and then click Edit.
  5. Select a set of definitions prior to the August 19 rev. 17 set, and click OK.
    The clients receive the backdated definitions as they check in with the manager.
  6. Confirm that the content has been backdated on the client.

 

If the client has been restarted, and is experiencing blue screen errors, disable the Eraser service and backdate the definitions

  1. Start the computer in Safe Mode.
  2. In Device Manager, click ViewShow hidden devices.
  3. Click Non-Plug and Play Drivers, then right-click Symantec Eraser Control Driver and click Properties.
  4. Under Startup Type, select Disabled, and then click OK.
  5. Restart the client computer.
  6. Confirm that the computer starts correctly in normal mode.
  7. From Symantec Endpoint Protection Manager, click Policies.
  8. Under View Policies, click LiveUpdate.
  9. On the LiveUpdate Content tab, select the LiveUpdate content policy.
  10. In the LiveUpdate Content pane, under Virus and spyware definitions, check Select a revision, and then click Edit.
  11. Select a set of definitions prior to the August 19 rev. 17 set, and click OK.
    The clients receive the backdated definitions as they check in with the manager.
  12. Confirm that the content has been backdated on the client.
  13. In Device Manager, click ViewShow hidden devices.
  14. Click Non-Plug and Play Drivers, then right-click Symantec Eraser Control Driver and click Properties.
  15. Under Startup Type, select System, and then click OK.
  16. Restart the client computer.
  17. Confirm that the computer starts correctly in normal mode.