Windows devices running Symantec Endpoint Protection (SEP) 14 experience a blue screen with BugCheck 27. Initial analysis suggests that the at-fault driver is rdbss.sys, however deeper analysis (typically performed by Microsoft or the hardware vendor) suggests this is ultimately caused by file read operations initiated by SymEFA.sys.

The frequency of the crash is intermittent, and in most cases extremely infrequent.

Initial bugcheck analysis will initially point to rdbss!RxCommonRead operations, similar to below:

FOLLOWUP_IP: 
rdbss!RxCommonRead+82
fffff880`03d6baea 668b06          mov     ax,word ptr [rsi]

FAULTING_IP: 
rdbss!RxCommonRead+82
fffff880`03d6baea 668b06          mov     ax,word ptr [rsi]

Symantec development has identified an issue in which asynchronous read operations initiated by SymEFA can, in some rare cases, take longer than expected to complete. This can potentially lead to a scenario in which access is attempted on a file object which has already been destroyed.

It should be of note that because rdbss.sys is a Microsoft driver, similar crashes can occur that are not actually caused by SymEFA.

Symantec is aware of this issue and will update this document when a solution becomes available. It is not necessary to log a support case on this issue. Please subscribe to this article to be notified of any updates.