You experience one of the following issues on a server running Symantec Endpoint Protection (SEP) 14.2 MP1 or higher:

• a crash with BugCheck 0x3B (SYSTEM_SERVICE_EXCEPTION). The crash dump shows a succession of multiple SYMEVENT64x86, BHDrvx64, Ironx64, symefasi64 and SRTSP64 function calls.
• a crash with BugCheck 0x9E (USER_MODE_HEALTH_MONITOR) on a server with the Failover Clustering role. The crash dump shows several ERESOURCE locks involving clussvc.exe. All of them show AutoProtect (SRTSP64) function calls before nt!IoVolumeDeviceToDosName and mountmgr!MountMgrDeviceControl are called.
• a hang during Remote Desktop session logins. The hang dump shows two AutoProtect-related ERESOURCE locks –one in which many AutoProtect-related threads (most in a ccSvcHst.exe context, but one in a System context) are waiting on another thread in which AutoProtect is shown to call two of its functions after Microsoft's shsvcs.dll (Shell Services library) calls to update storage volume media info but before nt!IoVolumeDeviceToDosName and mountmgr!MountMgrDeviceControl are called.

Please note that his is not an exhaustive list of the issues that may result from this AutoProtect defect.

NTFS supports multiple file streams. File system filter drivers can avail of a per stream context structure to maintain context information for a file stream, which can be used as-is or embedded in a driver-defined, per-stream context structure. When a NULL value is unexpectedly assigned to the stream context field of AutoProtect's I/O context structure, its GetDriveLetter() and initMountPoint() functions (using a pointer to the same) fail, resulting in hangs or crashes in different scenarios.

• SEP for Windows 14.2 MP1 or 14.2 RU1 (MP1)
• Windows Server 2008 R2 or higher

This issue has been resolved in SEP 14.2 RU2. Please refer to Download Symantec Enterprise Security software, tools, and patches for steps to download to the latest build.