Crash with Bug Check 0xC8 after installing Endpoint Protection client with Firewall

book

Article ID: 164146

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

A Windows 10 system with a Killer Wireless 1535 Wireless Network Adapter crashes with a Bug Check 0xC8 (IRQL_UNEXPECTED_VALUE) after installing a Symantec Endpoint Protection (SEP) 12.1 or 14 client with the Firewall component.

BugCheck C8, {0, 2, 0, 0}

Sample STACK_TEXT:

nt!KeBugCheckEx
nt! ?? ::FNODOBFM::`string'+0x34a8e
ndis!ndisExpandStack+0x19
ndis!ndisInvokeNextReceiveHandler+0xd0
ndis!ndisFilterIndicateReceiveNetBufferLists+0x21c12
ndis!NdisFIndicateReceiveNetBufferLists+0x54
Teefer
Teefer
Teefer
nt!PspSystemThreadStartup+0x41
nt!KiStartSystemThread+0x16

Cause

In one thread, while a Net Buffer List (NBL) is being passed to Microsoft's NDIS stack, NDIS6 filter driver teefer.sys (our Symantec CMC Firewall Teefer3 driver) is injected and it passes on the origin NBL's IRQL, which is PASSIVE_LEVEL. At the same time, in another thread, bwcW10x64.sys (Killer Wireless' Bandwidth Control driver) changes the IRQL from PASSIVE_LEVEL to DISPATCH_LEVEL. As it fails to restore it back to the origin NBL's PASSIVE_LEVEL IRQL, the operating system detects an unexpected IRQL change and crashes the system to prevent further disruption.

Environment

SEP 12.1 RU6 MP5, 12.1 RU6 MP6, 12.1 RU6 MP7, 14

Resolution

Killer Networking has released a fixed Software version: 1.1.67.1763 which can download from http://www.killernetworking.com/driver-downloads/item/e2200-e2400-wireless.

If you can't upgrade immediately, there are currently two possible workarounds:

  • Unbind “Killer Bandwidth Control” from the Killer Wireless 1535 Wireless Network Adapter, thereby preventing bwcW10x64.sys (Killer Wireless' Bandwidth Control driver) being loaded and unexpectedly changing the IRQL.
  • Install the SEP 12.1 or SEP 14 client without the Firewall component and use the built-in Windows 10 firewall.