Server 2008 x64 crashing
in [Windows Servers]
|
From: "Gregg Hill" greggmhill at please do not spam me at yahoo dot on 26 Nov 2009 12:56 I just heard back from Trend. The scan engine 9.000.1003 that was released 11/17/09 had the crash problem. They now have 9.100.1001 that is the fix for that problem. Gregg Hill "Zachary" <zdundore(a)agraind.com> wrote in message news:OyPcrgUaKHA.1592(a)TK2MSFTNGP06.phx.gbl... > I contacted Trend Micro and we rolled back the trend micro scan engine and > we are monitoring the situation. > > "Zachary" <zdundore(a)agraind.com> wrote in message > news:uO0zLaTaKHA.428(a)TK2MSFTNGP06.phx.gbl... >> Here is my crash analysis: >> >> Microsoft (R) Windows Debugger Version 6.11.0001.404 X86 >> Copyright (c) Microsoft Corporation. All rights reserved. >> >> >> Loading Dump File [C:\Temp\AGRADC2-926-Crash.DMP] >> Kernel Summary Dump File: Only kernel address space is available >> >> WARNING: Inaccessible path: 'D:\I386' >> Symbol search path is: >> SRV*c:\temp\symbolstore*http://msdl.microsoft.com/download/symbols >> Executable search path is: D:\I386 >> Windows Server 2008/Windows Vista Kernel Version 6001 (Service Pack 1) MP >> (8 procs) Free x64 >> Product: LanManNt, suite: TerminalServer SingleUserTS >> Built by: 6001.18304.amd64fre.vistasp1_gdr.090805-0102 >> Machine Name: >> Kernel base = 0xfffff800`01a06000 PsLoadedModuleList = >> 0xfffff800`01bcbdb0 >> Debug session time: Thu Nov 19 09:26:47.649 2009 (GMT-6) >> System Uptime: 0 days 1:20:02.331 >> Loading Kernel Symbols >> ............................................................... >> ................................................................ >> ................. >> Loading User Symbols >> PEB is paged out (Peb.Ldr = 000007ff`fffd5018). Type ".hh dbgerr001" for >> details >> Loading unloaded module list >> ............. >> ******************************************************************************* >> * * >> * Bugcheck Analysis * >> * * >> ******************************************************************************* >> >> Use !analyze -v to get detailed debugging information. >> >> BugCheck 3B, {c0000005, fffffa6008b18726, fffffa600bbc4b30, 0} >> >> *** ERROR: Symbol file could not be found. Defaulted to export symbols >> for VSApiNt.sys - >> *** ERROR: Module load completed but symbols could not be loaded for >> TmXPFlt.sys >> Page c74fc not present in the dump file. Type ".hh dbgerr004" for details >> Page c7dea not present in the dump file. Type ".hh dbgerr004" for details >> PEB is paged out (Peb.Ldr = 000007ff`fffd5018). Type ".hh dbgerr001" for >> details >> PEB is paged out (Peb.Ldr = 000007ff`fffd5018). Type ".hh dbgerr001" for >> details >> Probably caused by : VSApiNt.sys ( VSApiNt!VSScanVirusInMemory+4eb6 ) >> >> Followup: MachineOwner >> --------- >> >> 1: kd> !analyze -v >> ******************************************************************************* >> * * >> * Bugcheck Analysis * >> * * >> ******************************************************************************* >> >> SYSTEM_SERVICE_EXCEPTION (3b) >> An exception happened while executing a system service routine. >> Arguments: >> Arg1: 00000000c0000005, Exception code that caused the bugcheck >> Arg2: fffffa6008b18726, Address of the exception record for the exception >> that caused the bugcheck >> Arg3: fffffa600bbc4b30, Address of the context record for the exception >> that caused the bugcheck >> Arg4: 0000000000000000, zero. >> >> Debugging Details: >> ------------------ >> >> Page c74fc not present in the dump file. Type ".hh dbgerr004" for details >> Page c7dea not present in the dump file. Type ".hh dbgerr004" for details >> PEB is paged out (Peb.Ldr = 000007ff`fffd5018). Type ".hh dbgerr001" for >> details >> PEB is paged out (Peb.Ldr = 000007ff`fffd5018). Type ".hh dbgerr001" for >> details >> >> EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" >> referenced memory at "0x%08lx". The memory could not be "%s". >> >> FAULTING_IP: >> VSApiNt!VSScanVirusInMemory+4eb6 >> fffffa60`08b18726 458b4820 mov r9d,dword ptr [r8+20h] >> >> CONTEXT: fffffa600bbc4b30 -- (.cxr 0xfffffa600bbc4b30) >> rax=fffff88016a84940 rbx=fffff88027e7d040 rcx=fffff880263c6520 >> rdx=0000000000000007 rsi=0000000000000030 rdi=0000000000000000 >> rip=fffffa6008b18726 rsp=fffffa600bbc5390 rbp=0000000000000007 >> r8=00000000876402c0 r9=fffffffff528975c r10=fffff8803113c036 >> r11=fffffa600bbc5380 r12=0000000000005389 r13=0000000000000030 >> r14=000000000030f000 r15=fffff88027e7d040 >> iopl=0 nv up ei pl zr na po nc >> cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246 >> VSApiNt!VSScanVirusInMemory+0x4eb6: >> fffffa60`08b18726 458b4820 mov r9d,dword ptr [r8+20h] >> ds:002b:00000000`876402e0=???????? >> Resetting default scope >> >> DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT >> >> BUGCHECK_STR: 0x3B >> >> PROCESS_NAME: Ntrtscan.exe >> >> CURRENT_IRQL: 0 >> >> LAST_CONTROL_TRANSFER: from fffffa6008b18a22 to fffffa6008b18726 >> >> STACK_TEXT: >> fffffa60`0bbc5390 fffffa60`08b18a22 : 00000000`00000001 fffff880`00000001 >> fffff880`00000000 fffffa60`0bbc5450 : VSApiNt!VSScanVirusInMemory+0x4eb6 >> fffffa60`0bbc5420 fffffa60`08b19a96 : fffff880`25e218a8 fffff880`27e7d040 >> 00000000`00000001 fffff880`27e7d040 : VSApiNt!VSScanVirusInMemory+0x51b2 >> fffffa60`0bbc5450 fffffa60`08b19c71 : 00000000`00000001 fffff880`171d7038 >> fffff880`171d7038 00000000`00000001 : VSApiNt!VSScanVirusInMemory+0x6226 >> fffffa60`0bbc5480 fffffa60`08b1a16e : fffff880`171d7038 fffff880`17b3a0c8 >> fffffa60`0bbc5580 00000000`00304329 : VSApiNt!VSScanVirusInMemory+0x6401 >> fffffa60`0bbc54c0 fffffa60`08b1b95f : fffff880`17b3a068 fffff880`0c45c6d0 >> 00000000`00304329 fffffa60`0bbc5580 : VSApiNt!VSScanVirusInMemory+0x68fe >> fffffa60`0bbc5540 fffffa60`08b1bb29 : 00000000`00000002 fffff880`27e7d040 >> fffff880`003041fb fffff880`27e7d040 : VSApiNt!VSScanVirusInMemory+0x80ef >> fffffa60`0bbc5570 fffffa60`08b1d4a2 : fffff880`0c45c6d0 fffff880`00304323 >> fffffa60`0bbc5620 72657355`00000001 : VSApiNt!VSScanVirusInMemory+0x82b9 >> fffffa60`0bbc55c0 fffffa60`08b14561 : fffff880`0cd59030 fffff880`17125030 >> fffff880`096fefa0 00000000`000000b3 : VSApiNt!VSScanVirusInMemory+0x9c32 >> fffffa60`0bbc55f0 fffffa60`08a4d4a3 : fffff880`27e7d040 fffff880`0cd59030 >> 00000000`0000024d fffffa60`08ae2887 : VSApiNt!VSScanVirusInMemory+0xcf1 >> fffffa60`0bbc5620 fffffa60`08a4c27d : 00000000`00000000 00000000`00000000 >> fffffa60`0bbc5718 00000000`0000177f : VSApiNt+0x3f4a3 >> fffffa60`0bbc56c0 fffffa60`08b9a44e : fffff880`00000000 fffffa80`00000001 >> fffff880`0c45c6d0 00000000`00002000 : VSApiNt+0x3e27d >> fffffa60`0bbc57c0 fffffa60`08859460 : fffff880`2ad8b048 fffffa80`145c3328 >> fffff880`2ad8b120 fffff880`0c45c6d0 : VSApiNt!VSVirusScanFileW+0x18e >> fffffa60`0bbc5840 fffffa60`0885a433 : fffffa80`00000001 fffffa80`145c3328 >> 00000000`00000000 fffffa60`0bbc5890 : TmXPFlt+0x1c460 >> fffffa60`0bbc5880 fffffa60`088527f1 : fffffa80`13798c10 00000000`048788d0 >> 00000000`ffffffff fffff880`001f0003 : TmXPFlt+0x1d433 >> fffffa60`0bbc5920 fffffa60`088586fb : 00000000`c00000bb fffffa60`0bbc59b8 >> fffffa60`0bbc59b0 fffffa60`0bbc5a30 : TmXPFlt+0x157f1 >> fffffa60`0bbc5960 fffffa60`0884122d : 00000000`00000000 fffffa60`0bbc5ca0 >> 00000000`00000001 fffffa80`100f8b00 : TmXPFlt+0x1b6fb >> fffffa60`0bbc5990 fffff800`01cdf4aa : fffffa80`13bc86b0 fffffa80`13bc86b0 >> 00000000`00000001 fffff880`263e2701 : TmXPFlt+0x422d >> fffffa60`0bbc59f0 fffff800`01cf8416 : 00000000`048787b8 00000000`000004e0 >> 00000000`00000000 00000000`04878850 : nt!IopXxxControlFile+0x5da >> fffffa60`0bbc5b40 fffff800`01a5a173 : fffffa80`145f0060 00000000`04878798 >> fffffa60`0bbc5bc8 00000000`000003e4 : nt!NtDeviceIoControlFile+0x56 >> fffffa60`0bbc5bb0 00000000`77415aea : 00000000`00000000 00000000`00000000 >> 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 >> 00000000`04878788 00000000`00000000 : 00000000`00000000 00000000`00000000 >> 00000000`00000000 00000000`00000000 : 0x77415aea >> >> >> FOLLOWUP_IP: >> VSApiNt!VSScanVirusInMemory+4eb6 >> fffffa60`08b18726 458b4820 mov r9d,dword ptr [r8+20h] >> >> SYMBOL_STACK_INDEX: 0 >> >> SYMBOL_NAME: VSApiNt!VSScanVirusInMemory+4eb6 >> >> FOLLOWUP_NAME: MachineOwner >> >> MODULE_NAME: VSApiNt >> >> IMAGE_NAME: VSApiNt.sys >> >> DEBUG_FLR_IMAGE_TIMESTAMP: 4ad30768 >> >> STACK_COMMAND: .cxr 0xfffffa600bbc4b30 ; kb >> >> FAILURE_BUCKET_ID: X64_0x3B_VSApiNt!VSScanVirusInMemory+4eb6 >> >> BUCKET_ID: X64_0x3B_VSApiNt!VSScanVirusInMemory+4eb6 >> >> Followup: MachineOwner >> --------- >> >> >> "Zachary" <zdundore(a)agraind.com> wrote in message >> news:uMJpCLTaKHA.5544(a)TK2MSFTNGP02.phx.gbl... >>>I have a 2008 server that has crashed 5 times this morning. The event >>>logs show nothing right before the crash to point me in the right >>>direction. All I have to go on is the Blue Screen. I am currently >>>downloading the symbols needed to analyze a server 2008 crash file. Once >>>I get that downloaded I might know more but I need some preliminary help >>>on this. To start I want to make everyone aware, no hardware changes >>>were made recently, no driver updates or installs were done recently, and >>>no windows updates were done recently. Here is the BSOD info: >>> >>> >>> >>> SYSTEM_SERVICE_EXCEPTION >>> >>> >>> >>> STOP: 0X0000003B (0x00000000C0000005, 0XFFFFFA6008B18726, >>> 0XFFFFFA600BBC4B30, 0x0000000000000000) >>> >>> >>> >>> VSApiNt.sys - Address FFFFFA6008B18726 base at FFFFFA6008A0E000, >>> DateStamp 4ad30768 >>> >>> >>> >>> Any help would be appreciated. >>> >>> >> >> > >
From: Pegasus [MVP] on 26 Nov 2009 14:10 "Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote in message news:uG7gTHsbKHA.5656(a)TK2MSFTNGP04.phx.gbl... >I just heard back from Trend. The scan engine 9.000.1003 that was released >11/17/09 had the crash problem. They now have 9.100.1001 that is the fix >for that problem. > > Gregg Hill The sad bit is that exactly the same thing happened with Trend about five years ago. Their scan engine would cause a spontaneous reboot on SBS Servers (and perhaps others) whenever a certain "net use" command was executed, either from the console or in a batch file. The Trend engineers had known about the issue for several months but forgot to tell their own Help Desk . .. .
From: "Gregg Hill" greggmhill at please do not spam me at yahoo dot on 26 Nov 2009 18:49
I moved from Symantec to Trend around that time because of their new version causing so many BSODs. Everyone has problems, I guess. The bummer is that I love the features of Trend, but they REALLY need to work on their catch rates. With the newer versions, having URL filtering and Web Reputation enabled should keep them away from bad guys. However, for those too-new-to-be-listed sites, I still recommend a WatchGuard firewall to my clients. AV's inability to detect new threats is precisely why I like my WatchGuard that won't let the executable through in the first place, whether from HTTP, HTTPS, FTP, or SMTP traffic. The way I look at it, letting it in via the front door, then tackling it and inspecting it, hoping that you are better at recognition than the bad guy is at hiding, is not as good as looking through the peephole, seeing it is executable, flipping the trap door, and dropping it. I have my WatchGuard set up to allow executables from Microsoft and Trend Micro (after virus scan from the WG), maybe one or two others, but only to certain IP addresses, mainly servers. I have bypass passwords that allow managers to download truly needed executables from sites where they expect the file but where I don't globally trust the site, and even then, they still go through the virus scan of the WG (it uses AVG). Of course, I also have Trend WFBS installed on all computers for threats from other sources. The best of both worlds! That is, IF I can convince my clients to buy the firewall. Gregg Hill "Pegasus [MVP]" <news(a)microsoft.com> wrote in message news:#XNTswsbKHA.2184(a)TK2MSFTNGP04.phx.gbl... > > "Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote > in message news:uG7gTHsbKHA.5656(a)TK2MSFTNGP04.phx.gbl... >>I just heard back from Trend. The scan engine 9.000.1003 that was released >>11/17/09 had the crash problem. They now have 9.100.1001 that is the fix >>for that problem. >> >> Gregg Hill > > The sad bit is that exactly the same thing happened with Trend about five > years ago. Their scan engine would cause a spontaneous reboot on SBS > Servers (and perhaps others) whenever a certain "net use" command was > executed, either from the console or in a batch file. The Trend engineers > had known about the issue for several months but forgot to tell their own > Help Desk . . . > |