Under specific circumstances such as viewing multiple streams from multiple sources in Microsoft Teams, and or handling multiple video streams in multiple browsers you may see a BSOD occur with Symantec Endpoint Protection installed.

This issue specifically only occurs on devices running newer versions of the rtu53cx22x64.sys driver (Realtek has stated the difference appear between their 11.8 and 11.9 release versions)*** And SEP RU5, RU6 and or RU7.


The BSOD reported is : DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)

WINDBG shows an initial output of :

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: ffffd3252e352f70, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000001, value 0 = read operation, 1 = write operation
Arg4: fffff8027d7712b4, address which referenced memory

AND

BUGCHECK_CODE:  d1
BUGCHECK_P1: ffffd3252e352f70
BUGCHECK_P2: 2
BUGCHECK_P3: 1
BUGCHECK_P4: fffff8027d7712b4
WRITE_ADDRESS:  ffffd3252e352f70 Nonpaged pool
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
PROCESS_NAME:  System
TRAP_FRAME:  fffff40e509978c0 – (.trap 0xfffff40e509978c0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=00000097ffffff68 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8027d7712b4 rsp=fffff40e50997a50 rbp=fffff40e50997de0
 r8=0000000000000006  r9=0000000000000000 r10=0000000000000011
r11=ffffd28d2e353000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
tcpip!IpFlcReceivePreValidatedPackets+0x974:
fffff802`7d7712b4 4e894c1808      mov     qword ptr [rax+r11+8],r9 ds:ffffd325`2e352f70=????????????????

Windows 10 post 1909LTS, Windows 11

The Realtek network adapter on the device with the BSOD is handing the Symantec Endpoint Protection TEEFER.SYS network filter driver a improper NBL NDIS_RECEIVE_FLAGS_RESOURCES flag while processing network frames.

(https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ndis/nc-ndis-filter_receive_net_buffer_lists)

This incomplete buffer list and flag when in conjunction with SEP's Teefer.sys filter driver in user mode causes a memory return\freeing action to a improperly addressed memory space and the BSOD occurs.

This issue is has not been seen to occur with OLDER driver revisions of the Realtek driver stack.

To resolve this issue, update the Realtek driver to the latest release. 

If that doesn't resolve the issue, either of the following may be used:

• Backdate the Realtek driver to a previous version where the issue no longer occurs as some older versions did not have this issue
• Enable Kernel Caching in the Symantec Endpoint Protection product as a workaround.  This will allow the SEP Teefer driver to handle the malformed packets and improperly set NBL NDIS_RECEIVE_FLAGS_RESOURCES flags but will require disabling certain features as outlined in the KB link at the bottom of the page.

Enabling Kernel Cache mode for SEP and SESC:
https://knowledge.broadcom.com/external/article/157551/smb-transfer-speeds-decrease-after-insta.html

*** Realtek is a IP and chipset vendor and as such the driver may not be labeled as a Realtek driver. As an example Lenovo renames the driver and network adapter, it may be required to view the driver details in the Device manger to properly identify the chipset.