Blue Screen of Death with Stop Code: MEMORY_MANAGEMENT (0x1a) After Applying Windows Security Updates from 1/3/2018

book

Article ID: 170727

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Microsoft has published a number of Windows Security Updates that contain a compatibility issue with legacy versions of the Expanded Remediation and Side Effect Repair (ERASER) engine that's distributed with Symantec Endpoint Protection (SEP) 12.1 and 14.0.

ERASER Engine Version 117.2.1 and older will encounter a Blue Screen of Death upon execution of a Scheduled, On-Demand, or Quick Scan by the SEP client, if these Windows Security Updates are present on the system.

STOP CODE: MEMORY_MANAGEMENT (0x1a)

Cause

ERASER Engine 117.2.1 and earlier contain a compatibility issue with the Windows Security Updates published on 1/3/2018

Environment

On 1/3/2018, Microsoft released the following out-of-band updates:

Windows Server 2016 - KB4056890
Windows Server 2012 R2 - KB4056898
Windows Server 2012 - KB4056899
Windows Server 2008 R2 SP1 - KB4056897
Windows 10 1709 - KB4056892
Windows 10 1703 - KB4056891
Windows 10 1607 - KB4056890
Windows 10 1511 - KB4056888
Windows 10 - KB4056893
Windows 8.1 - KB4056898
​Windows 7 SP1 - KB4056897

On 1/9/2018, Microsoft released the following Security Rollups which supercede the 1/3 update on their respective versions of Windows:

Windows 8.1 - KB4056895  
Windows Server 2012 R2 - KB4056895  
Windows Server 2012 - KB4056896
Windows 7 SP1 - KB4056894
Windows Server 2008 R2 SP1 - KB4056894

Resolution

Note: To mitigate the risk of systems encountering a BSoD, Windows Update will detect if a legacy ERASER engine version is installed and hide the update from users. In most cases, this means that encountering a BSoD as a result of this incompatibility is unlikely. This will not prevent older ERASER content from being applied after the Windows Update has been applied.
  • Ensure that ERASER Engine 117.3.0.358 or greater has been applied before attempting to apply the Microsoft Windows Security Updates released on 1/3/2018. For additional detail, see: How to check the version of AV Engine, IPS Engine and Eraser Engine from the client computer.
  • Once this update has been applied, do NOT attempt to rollback definitions to anything prior to this set of definitions or a Blue Screen of Death will be encountered upon execution of an On-Demand, Scheduled, or Active Scan.
  • Ensure that all installation packages are either loaded with NO content or with content that contains ERASER engine update 117.3.0.358 or greater.
  • Definitions containing the updated ERASER Engine for Enterprise products are included in 1/4/2018 rev. 1 (Sequence Number: 189937).