32-bit Windows 2003 Servers with Symantec Endpoint Protection (SEP) 12.1.x Proactive Threat Protection Installed Hang or Crash with Event id 333 Errors in System Event Log

book

Article ID: 158539

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

32-bit Windows 2003 Servers with SEP 12.1.x Proactive Threat Protection (PTP) and PTP Definitions Dated 24 September 2013 revision 11 start showing performance issues since the beginning of October. Servers may become unresponsive or crash with a Blue Screen of Death.

 

The Windows Event log may have errors such as:

Event ID 333:
An I/O operation initiated by the Registry failed unrecoverably.
The Registry could not read in, or write out, or flush, one of the files that contain the system's image of the Registry.
 
 
 

Resolution

 

Symantec is aware of this issue and will update this document when a solution becomes available.

To workaround the issue, disable the BHDrvx86.sys driver.

Applies To

3rd Party Management tools such as HP Openview are installed.

 

The SONAR Engine version in the PTP definitions dated 24 September 2013 revision 11 is 8.0.1.1.

This SONAR Engine corresponds to the BHDrvx86.sys driver in \Definitions\BASHDefs\20130924.011\

 

Note:

Not every PTP Defintions set dated 20130924.011 will have SONAR Engine version 8.0.1.1.

In some cases the version may be 7.8.0.10. With this version 7.8.0.10 this particular issue should not occur. Having another version than 8.0.1.1 is not an indication of problems with the SONAR Definitions update, but is the result of Symantec's Staged Content Rollout Strategy. See www.symantec.com/docs/TECH206118 for further information.