search cancel

BSOD with BugCheck 27 caused by rdbss.sys, but attributed to SymEFA.sys, with Endpoint Protection 14 installed.

book

Article ID: 172840

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Windows devices running Symantec Endpoint Protection (SEP) 14 experience a blue screen with BugCheck 27. Initial analysis suggests that the at-fault driver is rdbss.sys, however deeper analysis (typically performed by Microsoft or the hardware vendor) suggests this is ultimately caused by file read operations initiated by SymEFA.sys.

The frequency of the crash is intermittent, and in most cases extremely infrequent.

Initial bugcheck analysis will initially point to rdbss!RxCommonRead operations, similar to below:

FOLLOWUP_IP: 
rdbss!RxCommonRead+82
fffff880`03d6baea 668b06          mov     ax,word ptr [rsi]

FAULTING_IP: 
rdbss!RxCommonRead+82
fffff880`03d6baea 668b06          mov     ax,word ptr [rsi]

 

Cause

Symantec development has identified an issue in which asynchronous read operations initiated by SymEFA can, in some rare cases, take longer than expected to complete. This can potentially lead to a scenario in which access is attempted on a file object which has already been destroyed.

It should be of note that because rdbss.sys is a Microsoft driver, similar crashes can occur that are not actually caused by SymEFA.

Resolution

Symantec is aware of this issue and will update this document when a solution becomes available. It is not necessary to log a support case on this issue. Please subscribe to this article to be notified of any updates.