You experience a Blue Screen of Death (BSOD) with Bug Check 0xD1 {20, 2, 1,<address>} on systems with Symantec Endpoint Protection (SEP) 14.0.x, and 12.1.x clients that received the May 8, 2017 CIDS 16.1.1.50 definitions update during the May 8-15 staged rollout. Customers also reported system instability and system lockups with these CIDS definitions.

The Network and Host Exploit Mitigation or Network Threat Protection Definitions are dated 06 May 2017 r25.

When you analyze the dump, you find that the issue is due to IDSvia64.sys (Symantec's IDS Core driver).

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000000000000020, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000001, value 0 = read operation, 1 = write operation
Arg4: fffff88003550f0e, address which referenced memory

Debugging Details:
------------------

[...]

STACK_TEXT:  

fffff880020198d8 fffff80001cbb729 : nt!KeBugCheckEx
fffff880020198e0 fffff80001cba3a0 : nt!KiBugCheckDispatch+0x69
fffff88002019a20 fffff88003550f0e : nt!KiPageFault+0x260
fffff88002019bb0 fffff880035507ff : IDSvia64

[...]

The Network and Host Exploit Mitigation definitions of 6 May 2017 r26 contained a rolled-back IPS driver.

This issue was fixed in the CIDS 16.1.4 definitions, delivered via LiveUpdate to SEP 12.1 and 14.0 or higher clients on September 20, 2017.