search cancel

Bugcheck 9E referencing netft.sys on Hyper-V

book

Article ID: 162589

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Bugcheck 9E referencing netft.sys on Hyper-V Cluster server node running Server 2012 with SEP 12.1.6 client installed. A cluster server node is repeatedly hanging.  After the server experiences the hang, it falls out of the cluster due to the cluster watchdog process resulting in the crash dump with a bugcheck 9E.  After 4 or 5 minutes it will restart and upon restart the server may experience the hang issue again.  

When in this state, it does connect to the cluster node and appears to be functioning as expected.  

  • The Symantec Endpoint Protection client will communicate with the manager
  • You can access the server shares through UNC connection
  • Administrators can connect to the server through RDP, other remote management options such and receive login screen

However after supplying credentials at the login prompt, the login process will not proceed and may result in a black screen.  The machine will eventually restart and may continue to loop through this process and experience the symptoms as described above.   

Memory Dump review reveals:

BugCheck 9E, {ffffe8002c542080, 4b0, 6, 0}
Probably caused by : netft.sys ( netft!NetftProcessWatchdogEvent+e4 )
Followup: MachineOwner
Debugging Details:
------------------
PROCESS_OBJECT: ffffe8002c542080
DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT
BUGCHECK_STR:  0x9E
PROCESS_NAME:  System
CURRENT_IRQL:  2
ANALYSIS_VERSION: 6.3.9600.17029
DPC_STACK_BASE:  FFFFD00202434FB0
LAST_CONTROL_TRANSFER:  from fffff801bd89cc08 to fffff802f17689a0
STACK_TEXT: 
: nt!KeBugCheckEx
: netft!NetftProcessWatchdogEvent+0xe4
: netft!NetftWatchdogTimerDpc+0x36
: nt!KiRetireDpcList+0x4f8
: nt!KiIdleLoop+0x5a
STACK_COMMAND:  kb
FOLLOWUP_IP:
netft!NetftProcessWatchdogEvent+e4
fffff801`bd89cc08 cc              int     3
SYMBOL_STACK_INDEX:  1
SYMBOL_NAME:  netft!NetftProcessWatchdogEvent+e4
FOLLOWUP_NAME:  MachineOwner
MODULE_NAME: netft
IMAGE_NAME:  netft.sys

Cause

The issue occurs when Application Control enumerates mount points within a volume.

Resolution

This issue is fixed in Symantec Endpoint Protection client 12.1.6.5 (RU6 MP5).  For information on how to obtain the latest build of Symantec Endpoint Protection, see Download the latest version of Symantec Endpoint Protection.

To work around the issue an Application Control exception can be put into place. This will prevent the Application Control from attaching to Windows Clustering service, clussvc.exe.