search cancel

BugCheck 0x3B due to SysPlant on a system running Endpoint Protection

book

Article ID: 174378

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

After installing Symantec Endpoint Protection (SEP) 14.0 or higher with the Application and Device Control (ADC) feature, you experience a crash with BugCheck 0x3B (SYSTEM_SERVICE_EXCEPTION). Microsoft's Windows Debugger (WinDBG) points to SysPlant as the culprit.

WinDBG shows the following chain of events (read from bottom to top):
 
0: kd> kc
 # Call Site
00 nt!KeBugCheckEx
01 nt!KiBugCheckDispatch
02 nt!KiSystemServiceHandler
03 nt!RtlpExecuteHandlerForException
04 nt!RtlDispatchException
05 nt!KiDispatchException
06 nt!KiExceptionDispatch
07 nt!KiGeneralProtectionFault
08 SysPlant -> Process Tracker: reference process name
09 SysPlant -> Process Tracker: add parent process name link
0a SysPlant -> Process Tracker: copy parent process name
0b SysPlant -> Process Tracker: process new process
0c SysPlant -> Process Tracker: call create process notify routine
0d nt!PspCallProcessNotifyRoutines
0e nt!PspInsertThread
0f nt!NtCreateUserProcess
10 nt!KiSystemServiceCopyEnd
11 0x0

Cause

The installation of SEP's ADC feature results in SysPlant (SEP's ADC kernel mode driver) calling its create process notify routine whenever a new user process is created. While SysPlant copies the parent process information in one thread, the same information may be unexpectedly updated in another thread, causing Sysplant's consequent attempt to dereference the process information structure's parent process name listhead to end in a general protection fault. 

Environment

  • SEP 14.0 or higher
  • Windows

Resolution

This issue was resolved in SEP 14.2 RU1, by adding a synchronization mechanism for the core data structure used by SysPlant, ensuring consistency not only when launching a new process, but also when terminating one, accessing files, loading a DLL, accessing the registry, etc.