After installing SONAR definitions sequence 170306001 on a system with Symantec Endpoint Protection (SEP) 12.1 or 14, a Bug Check 0x19 (BAD_POOL_HEADER) occurs due to bhdrvx64.sys or bhdrvx86.sys, which is our Behavioral Analysis And Security Heuristics (BASH) driver.

STACK_TEXT:  
fffff880`0a647bf8 fffff800`047a8cbe : 00000000`00000019 00000000`00000020 fffff8a0`16a2a000 fffff8a0`16a2a870 : nt!KeBugCheckEx
fffff880`0a647c00 fffff880`0671ccbc : 00000000`77c1020c 00000000`00640000 fffff8a0`32583242 ffffffff`80003220 : nt!ExAllocatePoolWithTag+0x1a2a
fffff880`0a647cb0 fffff880`0671b4cc : 00000000`002f1e10 fffff8a0`04c81680 00000000`00000831 ffffffff`80003220 : BHDrvx64+0x2bc 
fffff880`0a647d10 fffff880`0671b1b1 : fffff8a0`049a1050 00000000`00000000 fffff880`00000006 fffff8a0`04c81680 : BHDrvx64+0x2ac 
fffff880`0a647d60 fffff880`066eac10 : 00000000`00000000 fffff8a0`00000006 00000000`0005002d fffff8a0`04c81680 : BHDrvx64+0x191 
fffff880`0a647e80 fffff880`0675a223 : 00000000`0005002d 00000000`00000831 fffffa80`0c321800 fffff880`0a648510 : BHDrvx64+0x50 
fffff880`0a647ec0 fffff880`06739779 : fffff880`0a647fe0 fffff880`06705a11 fffff8a0`0aec1860 fffff880`06721d2d : BHDrvx64+0x117 
fffff880`0a647ef0 fffff880`06737c39 : fffff8a0`05345fe8 fffff880`06734dad fffff880`0a647fe0 fffff880`06739498 : BHDrvx64+0x69 
fffff880`0a647f40 fffff880`0672f4ca : 00000000`00000000 00000000`00000830 fffff8a0`0510201c fffff8a0`05345fe8 : BHDrvx64+0x139 
fffff880`0a647fd0 fffff880`0672c7a4 : fffff8a0`05346028 fffff880`0a648510 fffff880`0a6482e0 fffff8a0`10c28a20 : BHDrvx64+0x29a 
fffff880`0a6480c0 fffff880`0672d11d : 00000000`00000000 fffff880`0a6482e0 fffff880`00000005 fffff8a0`10c28a20 : BHDrvx64+0x74 
fffff880`0a648110 fffff880`067d66d6 : 00000000`00000000 fffff8a0`0533b000 fffff880`0a648510 fffff880`0a6482e0 : BHDrvx64+0x25d 
fffff880`0a6481d0 fffff880`06621967 : fffff880`0a648510 fffff8a0`0533b000 fffff8a0`12edfc00 fffff8a0`10c28a20 : BHDrvx64+0x1e6 
fffff880`0a648270 fffff880`066211f1 : fffff880`0a648510 00000000`00000000 00000000`00000000 fffff880`0a6488b0 : BHDrvx64+0x727 
fffff880`0a6483b0 fffff880`066c83ec : fffffa80`095b29b0 fffff8a0`10c28a20 fffff880`0a648510 00000000`00000001 : BHDrvx64+0x181 
fffff880`0a648430 fffff880`066c82e5 : fffff880`0a648510 fffffa80`0c213b30 fffffa80`07511700 fffffa80`0c84b060 : BHDrvx64+0x2c 
fffff880`0a648460 fffff880`066c6a6b : fffffa80`095b29b0 fffff8a0`0a942370 00000000`00000000 00000000`a0000003 : BHDrvx64+0xc5 
fffff880`0a6484c0 fffff880`066c64fa : 00000000`00000000 00000000`00000072 00000000`10000004 fffff880`05537deb : BHDrvx64+0xab 
fffff880`0a648670 fffff880`066c546f : 00000000`00000001 fffffa80`06c1ab60 fffff880`0a648788 00000000`0000117c : BHDrvx64+0x7a 
fffff880`0a6486d0 fffff880`01002067 : 00000000`00000000 00000000`00000072 fffffa80`0774ede0 00000000`00000040 : BHDrvx64+0x15f 
fffff880`0a648710 fffff880`01003329 : fffff880`0a648800 ffff0000`0b22d612 fffff880`0a648900 00000000`00000000 : fltmgr!FltpPerformPreCallbacks+0x2f7
fffff880`0a648810 fffff880`010016c7 : fffffa80`0c213b30 fffffa80`0774ede0 fffffa80`0726e700 fffffa80`07511700 : fltmgr!FltpPassThrough+0x2d9
fffff880`0a648890 fffff800`04980d3f : fffffa80`0c213b30 fffffa80`0693f4a0 00000000`00000000 fffffa80`07511700 : fltmgr!FltpDispatch+0xb7
fffff880`0a6488f0 fffff800`0496ecee : 00000000`00000000 fffffa80`075116d0 00000000`000002a4 00000000`00000040 : nt!IopCloseFile+0x11f
fffff880`0a648980 fffff800`0496e95f : fffffa80`075116d0 fffffa80`00000001 fffff8a0`077144e0 00000000`00000000 : nt!ObpDecrementHandleCount+0x8e
fffff880`0a648a00 fffff800`0496f084 : 00000000`000002a4 fffffa80`0693f4a0 fffff8a0`077144e0 00000000`000002a4 : nt!ObpCloseHandleTableEntry+0xaf
fffff880`0a648a90 fffff800`04671693 : fffffa80`0c84b060 fffff880`0a648b60 00000000`7ef9d000 00000000`1ecb1203 : nt!ObpCloseHandle+0x94
fffff880`0a648ae0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13

SEP (all versions)

A buffer overflow in BASH, caused by two signatures introduced in the March 6, 2017 definitions that use the loaded_modules attribute (which is where the problem lives).

The two offending signatures were pulled in the March 20, 2017 SONAR definitions release (sequence number 20170314001).  They will be reintroduced after the problem in the BASH engine will be addressed.