CB Protection: BSOD on agents version 8.0 patch 6 (8.0.0.2562)
search cancel

CB Protection: BSOD on agents version 8.0 patch 6 (8.0.0.2562)

book

Article ID: 288991

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

  • BSOD on systems utilizing terminal services like Windows RDS, Citrix, VMWare and Windows VDIs
  • The Ransomware Rapid Config is enabled
  • Stack trace and Bugcheck Analysis from the memory dump show both Parity.sys and TSFairShare.sys loaded in the memory stack when the system crashed:
  • STACK_TEXT:
    ffffb200`14b77460 fffff802`5d998d61 : ffffb200`14b77850 ffffc90a`8a427ad8 ffff9e8b`d5f6ea90 ffff9e8b`fbd26630 : Parity!+0x20b
    ffffb200`14b77570 fffff802`5d99341e : fffff802`5dac23b0 ffffb200`14b77850 ffffc90a`8a427ad8 ffffb200`14b77830 : Parity!+0xad1
    ffffb200`14b776b0 fffff802`5cc346ca : ffffc90a`8a427ad8 ffffb200`14b77850 ffffb200`14b77830 ffffc90a`83d417e0 : Parity!+0x7ce
    ffffb200`14b777d0 fffff802`5cc31b51 : ffffb200`14b779c0 ffffc90a`8a427a00 ffffb200`14b77904 ffffc90a`8a427b00 : FLTMGR!FltpPerformPreCallbacks+0x2ea
    ffffb200`14b778e0 fffff802`5cc31cef : ffffc90a`8a427a00 00000000`00000000 00000000`c0000225 ffff57ee`00000000 : FLTMGR!FltpInternalCompletePendedPreOperation+0x181
    ffffb200`14b77980 fffff802`5fb61317 : ffff1602`a8945f01 fffff802`00000000 ffffc90a`8a427b68 ffffc90a`8a427ad8 : FLTMGR!FltCompletePendedPreOperation+0xef
    ffffb200`14b77a30 fffff802`5fb614a4 : fffff802`5fb65340 ffffc90a`8305b000 ffffc90a`87528590 ffffc90a`86a16360 : TSFairShare!I_CompletePendedIo+0xab
    ffffb200`14b77a60 fffff802`5fb665e8 : ffffc90a`87528590 00000000`00020000 ffffc90a`8305b020 ffffc90a`7e6e2020 : TSFairShare!TSFSContinuePendedIo+0xa4
    

Environment

  • CB Protection Agent: 8.0.0.2562 (patch 6)
  • Microsoft Windows Server: All Supported Versions

Cause

This is an interoperability issue between the "Parity.sys" driver and the "TSFairShare.sys" driver part of terminal services.

 

Resolution

  • The permanent solution is to upgrade the CB Protection server and agents to version higher then 8.0.0.2562 (8.0 patch 6)
  • Temporary workaround is to disable the Ransomware Protection Rapid Config or apply it to specific policies without any RDS or VDI servers until the agents are upgraded