You install Symantec Endpoint Protection. After the installation, the computer unexpectedly restarts or encounters a blue screen with a STOP message similar to the following:

STOP 0x0000007f (0x00000008, 0x00000000, 0x00000000, 0x00000000)
UNEXPECTED_KERNEL_MODE_TRAP

A common configuration for this situation is a Windows Server with Terminal Services in Remote Administration Mode with a combination of, but not exclusive to, any of the following applications: Symantec Endpoint Protection, St. Bernard Open File Manager, Quota Manager, Legato RepliStor, or other "filter drivers" that register with the Kernel Stack.
 

This problem occurs because there is a limited amount of kernel space available for kernel drivers. If the operating system runs out of kernel space, then the computer displays a blue screen error message.

Symantec Endpoint Protection Auto-Protect
When Symantec Endpoint Protection Auto-Protect examines a file for viruses, it requests file access from the corresponding file system. These requests for file IO can add to kernel stack consumption. To prevent Auto-Protect from using additional kernel stack in a low stack situation, an internal configuration value named KStackMinFree was added and is configurable through the Windows registry.

The KStackMinFree registry value
The KStackMinFree registry value specifies a minimum amount of kernel stack that must be free for File System Realtime Protection or Auto-Protect to request file IO from the file system. If the KStackMinFree value is present in the registry, then File System Realtime Protection or Auto-Protect calculates the amount of available stack space before doing any file IO. If the available kernel stack is less than the value in the registry, then File System Realtime Protection or Auto-Protect will not do any IO and will not scan the file.

Note: Auto-Protect only skips files that are accessed by trusted kernel components (Ring 0). If files are accessed by user mode components (non-Ring 0), then File System Realtime Protection or Auto-Protect examines the files for viruses.

Adding the KStackMinFree value is a two-step process

1. Modify the registry by adding the KStackMinFree value.
2. Stop and then restart the Symantec Endpoint Protection service for changes to take effect.
   If the problem persists, restart the computer. After you restart the computer, confirm that the changes that you made to the KStackMinFree value are still present.

WARNING: We strongly recommend that you back up the registry before making any changes. Incorrect changes to the registry could result in permanent data loss or damaged files. Modify only the keys that are specified. 

To fix this problem, use the following steps.

Modify the registry by adding the KStackMinFree value in Symantec Endpoint Protection 14.x

1. In the Registry Editor, go to the following key:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan
    
2. Right-click the RealTimeScan key, and then click New > DWORD Value.
3. Type KStackMinFree for the name of the new value.
4. Right-click the KStackMinFree value, and then click Modify.
5. Set the Base to Hexadecimal, and then type 2200 in the Value field.
6. Click OK.
7. Restart the computer

Changes to the KStackMinFree value take should effect after the service is restarted.

Recommended size for the KStackMinFree value

Symantec recommends a range between 8.0 KB and 8.5 KB (Hex 2000-2200), though each environment is different and it may take some experimenting to find the right value. Other possible values are defined in the following chart.
 

Notes:

• If the value is set too low, then a stack overflow can occur and the system will stop responding.
• If the value is set too high, then file scans will be skipped unnecessarily.
• If the registry value is set to 0, or greater than 0x2400, then File System Realtime Protection or Auto-Protect behaves normally.
• The limit is 0x2400
• This scenario provides slightly less protection because Auto-Protect loads later during the startup process. Use your best judgement to determine if this setting is appropriate for your environment
• While this problem is most prominent in 32-bit environments, 64-bit Operating Systems are not immune. The Kernel Stack Size on 64-bit Operating Systems is 24KB and drivers other than the SEP drivers can still cause a 64-bit thread stack to overflow. Contact the 3rd party vendor for a solution in cases such as these.