Bug Check 0x7E due to SymEFASI
search cancel

Bug Check 0x7E due to SymEFASI

book

Article ID: 164897

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

On a system with Symantec Endpoint Protection (SEP) 12.1, you experience a STOP error 0x7E (SYSTEM_THREAD_EXCEPTION_NOT_HANDLED) due to symefasi.sys (our Extended File Attributes driver).

STACK_TEXT:  
fffffa60`027d8680 fffffa60`00f8fe2a : fffffa80`3890a010 fffffa60`027d8778 00000000`00000000 fffffa80`610b61e0 : fltmgr! ?? ::FNODOBFM::`string'+0xd19
fffffa60`027d86d0 fffffa60`00f902af : fffffa80`3890a0c0 fffffa60`0f5f8ce0 00000000`00000000 fffffa60`027d87c0 : fltmgr!FltpSetupPerformIo+0x17a
fffffa60`027d8730 fffffa60`00fc2722 : fffffa80`3890a0c0 fffff880`140865f0 00000000`00000005 00000000`00000008 : fltmgr!FltPerformSynchronousIo+0x9f
fffffa60`027d87a0 fffffa60`01173ad8 : fffff880`140865f0 fffff880`140865f0 fffff880`19b2fec0 fffffa60`74414153 : fltmgr!FltQueryInformationFile+0x52
fffffa60`027d87e0 fffffa60`0100ef30 : fffffa60`027d89d0 00000000`00000001 fffff880`04809010 fffffa60`0100dc03 : symefasi+0x5c 
fffffa60`027d8820 fffffa60`0100d5f1 : 00000000`00000000 00000000`00000001 fffff880`04809010 fffffa60`0116ce5e : symefasi+0x14
fffffa60`027d8850 fffffa60`0116cc14 : fffff880`1abc9010 fffff880`1abc9010 fffffa60`027d8920 fffffa60`0f5f8c00 : symefasi+0x49 
fffffa60`027d8880 fffffa60`0100e170 : 00000000`00000000 fffff880`04cf1140 00000000`00000005 00000000`00000001 : symefasi+0x30 
fffffa60`027d88b0 fffffa60`0100d5f1 : 00000000`00000000 fffff800`0218faa5 00000005`112a7730 fffff880`12f559b0 : symefasi+0x14
fffffa60`027d88e0 fffffa60`0f2b5117 : fffff880`12f559b0 00000000`00000013 fffffa60`0f5ceb60 00000000`00000027 : symefasi+0x49 
fffffa60`027d8910 fffffa60`0f2b68f7 : 00000000`00000090 fffff880`04cf1100 fffff880`01dcf630 00000000`00000000 : SRTSP64+0xac117
fffffa60`027d8950 fffffa60`0f28e67a : 00000000`00000000 fffff880`0f1e30f0 fffffa60`00000005 00000000`65456153 : SRTSP64+0xad8f7
fffffa60`027d89a0 fffffa60`0f45f727 : fffff880`1b0f31f0 fffff880`12a287b0 00000000`00000068 fffffa60`0f28d331 : SRTSP64+0x8567a
fffffa60`027d89d0 fffffa60`0f45ee31 : fffff880`04d44e20 00000000`00000000 fffff880`1adaa790 fffff880`1b0f31f0 : EX64+0x23b
fffffa60`027d8a20 fffffa60`0f45f4cc : 00000000`00000000 00000000`00000000 fffffa60`0f2604b8 fffffa60`0f276e39 : EX64+0x7d
fffffa60`027d8a50 fffffa60`0f2d5745 : fffff880`04d44d30 00000000`00000000 00000000`00000000 fffffa60`0f2604b8 : EX64+0x4c
fffffa60`027d8aa0 fffffa60`0f2d519e : fffff880`00000002 fffff880`11885950 fffff880`04d44da0 fffff880`04d44e20 : SRTSP64+0xcc745
fffffa60`027d8b20 fffffa60`0f238588 : fffffa60`027da000 fffffa60`027d4000 fffffa60`00f9c900 00000000`000007ff : SRTSP64+0xcc19e
fffffa60`027d8b80 fffffa60`0f2388b0 : 00000000`62ca0002 00000f75`62be8a79 fffffa80`3e9af003 fffffa60`027d8c78 : SRTSP64+0x2f588
fffffa60`027d8bb0 fffffa60`0f273641 : 00000000`00000000 fffffa60`027d8c78 fffffa80`3e9af010 fffff880`11885950 : SRTSP64+0x2f8b0
fffffa60`027d8be0 fffffa60`00f8eeca : fffffa80`3e9af320 00000000`00000000 00000000`00000000 00000000`00006920 : SRTSP64+0x6a641
fffffa60`027d8c30 fffffa60`00f8dfce : fffffa80`3e043030 fffffa80`3cb6e860 fffffa80`61179010 fffffa80`61179230 : fltmgr!FltpPerformPostCallbacks+0x30b
fffffa60`027d8d00 fffffa60`00faa26c : fffffa80`610b61e0 fffffa80`3ae99450 fffffa80`3e9af000 fffffa60`027d8dc0 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x34e
fffffa60`027d8d70 fffff800`0232d0ed : 00000000`00000004 fffffa80`3fceea70 00000000`00000000 00000000`00000000 : fltmgr!FltpCreate+0x25d
fffffa60`027d8e20 fffff800`0235657b : fffffa80`610b61e0 00000000`00000000 fffffa80`428c1010 00000000`00000000 : nt!IopParseDevice+0x158d
fffffa60`027d8f90 fffff800`02324000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopParseFile+0x9b
fffffa60`027d8ff0 fffff800`023251b5 : ffffffff`800029f4 fffffa60`027d9188 fffffa80`00000240 00000000`00000000 : nt!ObpLookupObjectName+0x210
fffffa60`027d9100 fffff800`0232a7c7 : fffffa80`00120089 00000000`00120089 00000000`00000001 fffffa60`027d93f0 : nt!ObOpenObjectByName+0x2f5
fffffa60`027d91d0 fffff800`02319ad8 : fffffa60`027d95c8 fffff800`00120089 fffff880`030e5301 fffffa60`027d95e0 : nt!IopCreateFile+0x287
fffffa60`027d9270 fffff800`020acfb3 : fffff880`00001ea0 fffffa80`30d29bb0 00000000`00002cf4 fffff800`02328e94 : nt!NtOpenFile+0x58
fffffa60`027d9300 fffff800`020ad4c0 : fffffa60`017b59b9 00000000`00000000 ffffffff`80002cf4 fffffa80`5cee96a0 : nt!KiSystemServiceCopyEnd+0x13
fffffa60`027d9508 fffffa60`017b59b9 : 00000000`00000000 ffffffff`80002cf4 fffffa80`5cee96a0 fffffa60`027d9a20 : nt!KiServiceLinkage
fffffa60`027d9510 fffffa60`017bdf14 : fffffa60`01e43180 fffffa80`00000000 fffffa80`424381b0 00000000`00000000 : volsnap!VspComputeInitialBitmap+0x599
fffffa60`027d99e0 fffffa60`017bf4ad : fffffa80`3b5f3180 00000000`00000000 00000000`00000000 00000000`00000000 : volsnap!VspComputeIgnorableProduct+0x3d4
fffffa60`027d9a70 fffff800`020b49ab : fffff800`0231ef6c fffffa60`017beee0 fffff800`021ec8f8 fffffa80`30d29bb0 : volsnap!VspAdjustBitmap+0x5cd
fffffa60`027d9cf0 fffff800`022bd717 : fffffa80`3c5d59e8 00000000`00000000 fffffa80`30d29bb0 00000000`00000080 : nt!ExpWorkerThread+0xfb
fffffa60`027d9d50 fffff800`020ed386 : fffffa60`01e43180 fffffa80`30d29bb0 fffffa60`01e4cd40 fffffa60`01e437f0 : nt!PspSystemThreadStartup+0x57
fffffa60`027d9d80 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16

Environment

SEP 12.1

Cause

  1. The Extended File Attributes Manager of srtsp64.sys (our AutoProtect driver) made a call to have our Extended File Attributes driver (SymEFASI) access the file attributes of a file object.
  2. SymEFASI got the PFLT_INSTANCE pointer belonging to the file object and used it to set an internal filter instance reference. At this time, the PFLT_INSTANCE pointer was still valid.
  3. Srtsp64.sys (our AutoProtect driver) then performed some other operations and that PFLT_INSTANCE pointer was closed and invalidated by Windows.
  4. When our AutoProtect driver finished performing those operations, our AutoProtect driver's Extended File Attributes Manager made a call to have our Extended File Attributes driver (SymEFASI) end the access and uninitalize the Extended File Attributes context.
  5. SymEFASI got the PFLT_INSTANCE pointer from the aforementioned internal filter instance reference and used this pointer to call the FltQueryInformationFile() function of Microsoft's Filesystem Filter Manager driver. However, as the PFLT_INSTANCE pointer had already been closed and invalidated by Windows, the system saw this as an unrecoverable operation and generated a STOP error.
As per https://msdn.microsoft.com/en-us/library/windows/hardware/ff544816(v=vs.85).aspx ("FLT_RELATED_OBJECTS structure"), PFLT_INSTANCE is an 
"Opaque instance pointer for the minifilter driver instance that is associated with the operation. This pointer uniquely identifies the instance and 
remains constant as long as the instance is attached to a volume.

Resolution

This issue was resolved in both SEP 12.1 RU6 MP7 and 14.0, by taking the possibility of Windows prematurely closing and invalidating a PFLT_INSTANCE pointer into account.
There is no possible workaround; an upgrade is required to resolve this issue.

Powered by Wolken Software