Bug Check 0xD1 on Endpoint Protection systems that received the CIDS 16.1.4.22 definitions update

book

Article ID: 169793

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You experience a Blue Screen of Death (BSOD) with Bug Check 0xD1 {20, 2, 0,<address>} on systems with Symantec Endpoint Protection (SEP) 14.0.x clients that received the CIDS 16.1.4.22 definitions update as part of our Early Access program. 

When you analyze the dump, you find that the issue is due to IDSvia64.sys (Symantec's IDS Core driver).

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {20, 2, 0, fffff8800313f586}

Probably caused by : IDSvia64.sys ( IDSvia64 )

[...]

STACK_TEXT:  
fffff880`07d27728 fffff800`01870a69 : 00000000`0000000a 00000000`00000020 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffff880`07d27730 fffff800`0186f6e0 : fffff880`07d24000 fffff880`07d27848 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
fffff880`07d27870 fffff880`0313f586 : fffffa80`09d79988 fffff880`03119695 fffffa80`0c33bcf8 fffff880`00000000 : nt!KiPageFault+0x260
fffff880`07d27a00 fffff880`0313f73e : fffffa80`0c33ba68 fffff800`019a91de 00000000`00000000 fffff880`07d27c00 : IDSvia64
fffff880`07d27a30 fffff880`0313314b : 00000000`00000000 00000000`ffffffff fffffa80`0c33bee8 fffffa80`0c33b628 : IDSvia64
fffff880`07d27a60 fffff880`03131c94 : fffffa80`0c33b628 fffffa80`0c33ba68 00000000`00000000 fffffa80`0c33ba68 : IDSvia64
fffff880`07d27a90 fffff880`03134d89 : fffffa80`081c9108 fffffa80`06172bb0 fffffa80`0c33b628 00000000`0000000d : IDSvia64
fffff880`07d27af0 fffff880`03135dc0 : 00000001`0000033e fffffa80`0c33b560 00000000`00000000 00000000`000007ff : IDSvia64
fffff880`07d27b30 fffff880`0310e61d : fffffa80`081c9108 fffff880`0310e4c5 fffff880`07d27c10 fffff880`07d28490 : IDSvia64
fffff880`07d27b80 fffff880`030ceed8 : fffff880`07d27c49 00000000`00000000 fffffa80`081c9108 fffffa80`09143300 : IDSvia64
fffff880`07d27bc0 fffff880`030dcc8f : fffffa80`09374a00 fffff880`030deeb2 00000000`00000000 fffffa80`06172bb0 : IDSvia64
fffff880`07d27ca0 fffff880`030dcb97 : fffffa80`00000000 fffffa80`09143300 fffffa80`05a9cc20 fffff880`07d27ea0 : IDSvia64
fffff880`07d27ce0 fffff880`00e1dcbf : 00000000`004dd2ff fffff880`07d27ea0 fffff880`07d28400 fffffa80`03c932c0 : IDSvia64
fffff880`07d27d30 fffff880`00e04f58 : 00000000`00000018 fffff880`07d282e8 fffffa80`083e6068 fffffa80`05a9cc20 : NETIO! ?? ::FNODOBFM::`string'+0x7277
fffff880`07d27e50 fffff880`00e065d2 : fffff880`07d20018 fffff880`07d282e8 fffff880`07d28400 fffff880`00000000 : NETIO!ArbitrateAndEnforce+0x238
fffff880`07d27f20 fffff880`0190048b : fffff880`07d28938 fffff880`07d282e8 fffff880`00000001 fffffa80`05a9cc20 : NETIO!KfdClassify+0x934
fffff880`07d28290 fffff880`018b9512 : 00000000`00000000 fffffa80`05b5f390 fffffa80`083e6170 00000000`00000000 : tcpip!WFPDatagramDataShimV4+0x49b
fffff880`07d285f0 fffff880`0188efcd : 00000000`00000003 fffff880`00000000 fffffa80`00000003 fffffa80`05a9cc20 : tcpip! ?? ::FNODOBFM::`string'+0x26812
fffff880`07d28860 fffff880`01883148 : fffffa80`05b5f390 fffffa80`00000000 00000000`00000000 fffffa80`00003500 : tcpip!ProcessAleForNonTcpIn+0x1ad
fffff880`07d28980 fffff880`0185d008 : fffffa80`00000011 fffff880`07d20002 fffffa80`05b53500 00000000`0000c1d3 : tcpip!WfpProcessInTransportStackIndication+0xb98
fffff880`07d28b10 fffff880`01886bc9 : 00000000`00000000 fffffa80`040a1380 00000000`00000000 fffffa80`05a880f0 : tcpip!InetInspectReceiveDatagram+0x1d8
fffff880`07d28bb0 fffff880`018872d4 : 00000000`11fc010a fffffa80`050a6010 fffffa80`050b2080 fffff880`01848061 : tcpip!UdpBeginMessageIndication+0x89
fffff880`07d28cd0 fffff880`0188148e : 00000000`00000000 fffffa80`00000000 fffffa80`00000000 fffff880`07d28e00 : tcpip!UdpDeliverDatagrams+0x2f4
fffff880`07d28db0 fffff880`018588d7 : fffffa80`050a2820 fffffa80`0506b101 00000000`00000000 00000000`00000005 : tcpip!UdpReceiveDatagrams+0x23f
fffff880`07d28e90 fffff880`018583ea : 00000000`00000000 fffff880`0196ba10 fffff880`07d29050 fffffa80`08e89180 : tcpip!IppDeliverListToProtocol+0xf7
fffff880`07d28f50 fffff880`018579a1 : fffff880`0196ba10 fffffa80`05a9cd50 00000000`00000011 fffff880`07d29040 : tcpip!IppProcessDeliverList+0x5a
fffff880`07d28ff0 fffff880`0185567f : 00000000`11fc010a fffff880`0196ba10 00000000`00000000 00000000`00000000 : tcpip!IppReceiveHeaderBatch+0x232
fffff880`07d290f0 fffff880`01854c9c : fffffa80`04a810e0 00000000`00000000 fffff880`0199c800 fffffa80`00000001 : tcpip!IpFlcReceivePackets+0x64f
fffff880`07d292f0 fffff880`018c96ef : fffff880`07d295f0 00000000`00000000 fffffa80`050a2820 00000000`00000001 : tcpip!FlpReceiveNonPreValidatedNetBufferListChain+0xcec
fffff880`07d293e0 fffff800`0187de78 : fffff800`01e183c0 fffff880`07d294e0 fffffa80`0655e4b0 00000000`00000001 : tcpip! ?? ::FNODOBFM::`string'+0x3e7c2
fffff880`07d29430 fffff880`01853d82 : fffff880`018535b0 00000000`00000000 00000000`00000000 fffffa80`099c7301 : nt!KeExpandKernelStackAndCalloutEx+0xd8
fffff880`07d29510 fffff880`00f570eb : fffffa80`050a4830 00000000`00000000 fffffa80`0506b1a0 00000822`00a04000 : tcpip!FlReceiveNetBufferListChain+0xb2
fffff880`07d29580 fffff880`00f20ad6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : NDIS!ndisMIndicateNetBufferListsToOpen+0xdb
fffff880`07d295f0 fffff880`00ea2594 : fffffa80`0506b1a0 00000000`00000002 00000000`00000001 00000000`00000000 : NDIS!ndisMDispatchReceiveNetBufferLists+0x1d6
fffff880`07d29a70 fffff880`00ea2509 : fffff880`07d29be0 fffff880`02e9f800 00000000`00000000 fffff880`00eaf250 : NDIS!ndisMTopReceiveNetBufferLists+0x24
fffff880`07d29ab0 fffff880`00ea24a0 : fffff880`07d29b78 fffff880`00edb677 00000000`00000002 fffff880`00ec8875 : NDIS!ndisFilterIndicateReceiveNetBufferLists+0x29
fffff880`07d29af0 fffff880`02e9e280 : fffffa80`050a1420 00000000`00000053 00000000`00000300 fffffa80`04201ad0 : NDIS!NdisFIndicateReceiveNetBufferLists+0x50
fffff880`07d29b30 fffff880`02e9ecd6 : fffffa80`04201ad0 fffffa80`050a1490 fffffa80`050a1420 fffffa80`04201ad0 : Teefer!ForwardRecvNBLCtx+0x50 
fffff880`07d29b70 fffff880`02e9f8be : 00000000`00000001 fffffa80`05a9cc20 00000000`02030001 00000000`00000000 : Teefer!SchedulePkt+0x466 
fffff880`07d29bd0 fffff800`01b0ce66 : fffffa80`0424a090 fffffa80`0655e4b0 00000000`00000080 00000000`00000001 : Teefer!SingleThreadDispatch+0xbe 
fffff880`07d29c00 fffff800`018636e6 : fffff800`019f0e80 fffffa80`0655e4b0 fffffa80`058a8930 00000000`00000000 : nt!PspSystemThreadStartup+0x5a
fffff880`07d29c40 00000000`00000000 : fffff880`07d2a000 fffff880`07d24000 fffff880`07d298e0 00000000`00000000 : nt!KxStartSystemThread+0x16

Environment

SEP 14.0 (any version)

Resolution

This issue has been addressed in the CIDS 16.1.4 definitions, delivered via LiveUpdate to SEP 12.1 and 14.0 or higher clients on September 20, 2017.