Starting sometime this past Friday our organization has started having multiple Windows XP sp3 workstations running Sophos Endpoint 10 go to blue screen with the wonderfully generic 7E code. We are pretty new to Sophos within the past few weeks, and I am not blaming Sophos at this point but it is a bit of a coincidence to have so many issues with machines which have all been stable for years.
Has anyone else started having this issue recently?
Hi,
I can't say I've seen it. The first thing I would do would be to configure the computer to create a full memory dump.
To do so:
1. Right-click the My computer icon and select Properties.
2. Go to the Advanced tab, and click Settings under Startup and Recovery.
3. Select Complete memory dump under Write debugging information.
If Complete memory dump option is unavailable see the MS article 254649.
Next time it happens, copy off memory.dmp (location is defined in the dialog above, typically it is: %systemroot%\MEMORY.DMP).
Maybe try and reproduce it a couple of times to get a couple of dmp files. This will be good to ensure the computer crashes for the same reason.
Then I would install WinDbg:
http://msdn.microsoft.com/en-us/windows/hardware/gg463009.aspx
Open the crash dump and run:
!analyze -v
This command will give you a basic automated analysis of the dump file and give you a suggestion as to which driver/module it suspects has caused the problem. Based on this, you can then typically look to disable/update the named drivers/module, etc..
This is worth doing as Support will require the full memory dump as a minimum for such a case. They will ask you to upload it to their FTP server so having it at hand will speed up the case.
Feel free to post the output of "!analyze -v" here if you like.
Hope it helps.
Regards,
Jak
Hi there,
Is/was there any solution for this issue?
Did you troubleshoot this further?
A new customer of us is just doing the Roll-Out of Sophos Endpoint Security and he is expeering this Blue Screen after the Client was pushed 10-15min before. After a reboot, the client shows the Blue Screen again after 10-15 minutes.
Would be great if you can post me your solution for solving this issue.
kind regards
Frank-Michael
Hi Jak,
I have several Dump Files, after a short analyse I receive the Following Output from Windows Debugging Tool
0: kd> ! analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except, it must be protected by a Probe. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: e315a000, memory referenced. Arg2: 00000000, value 0 = read operation, 1 = write operation. Arg3: b9da8031, If non-zero, the instruction address which referenced the bad memory address. Arg4: 00000001, (reserved) Debugging Details: ------------------ Unable to load image DPAccCtl.sys, Win32 error 0n2 *** WARNING: Unable to verify timestamp for DPAccCtl.sys *** ERROR: Module load completed but symbols could not be loaded for DPAccCtl.sys Could not read faulting driver name Unable to load image \SystemRoot\system32\DRIVERS\savonaccesscontrol.sys, Win32 error 0n2 *** WARNING: Unable to verify timestamp for savonaccesscontrol.sys *** ERROR: Module load completed but symbols could not be loaded for savonaccesscontrol.sys *** WARNING: Unable to verify timestamp for savonaccessfilter.sys *** ERROR: Module load completed but symbols could not be loaded for savonaccessfilter.sys READ_ADDRESS: e315a000 FAULTING_IP: DPAccCtl+b031 b9da8031 ?? ??? MM_INTERNAL_CODE: 1 CUSTOMER_CRASH_COUNT: 7 DEFAULT_BUCKET_ID: COMMON_SYSTEM_FAULT BUGCHECK_STR: 0x50 TRAP_FRAME: 950fe454 -- (.trap 0xffffffff950fe454) ErrCode = 00000000 eax=00007df7 ebx=950fe514 ecx=00007ff4 edx=89094000 esi=e314a3bc edi=e314a412 eip=b9da8031 esp=950fe4c8 ebp=950fe4d0 iopl=0 nv up ei ng nz na pe cy cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010287 DPAccCtl+0xb031: b9da8031 ?? ??? Resetting default scope LAST_CONTROL_TRANSFER: from 80520482 to 804f9fa3 STACK_TEXT: 950fe3d4 80520482 00000050 e315a000 00000000 nt!KeBugCheckEx+0x1b 950fe43c 8054475c 00000000 e315a000 00000000 nt!MmAccessFault+0x9aa 950fe43c b9da8031 00000000 e315a000 00000000 nt!KiTrap0E+0xd0 WARNING: Stack unwind information not available. Following frames may be wrong. 950fe4c4 e314a3bc e1f34d38 950fe4f0 b9da81be DPAccCtl+0xb031 950fe4d0 b9da81be 00007ff4 89094000 e314a3bc 0xe314a3bc 950fe4f0 b9da0456 00000000 e314a3bc 950fe514 DPAccCtl+0xb1be 950fe53c b9d9e31b 896fe1b4 950fe5cc 89867b50 DPAccCtl+0x3456 950fe588 b9dad754 896fe1b4 950fe5cc 950fe5a8 DPAccCtl+0x131b 950fe5ac b9db4888 896fe1b4 950fe5cc 950fe5fc DPAccCtl+0x10754 950fe60c b9db62a0 000fe650 896fe158 891ce1d4 fltMgr!FltpPerformPreCallbacks+0x2d4 950fe620 b9dc3217 950fe650 b9dc16aa 00000000 fltMgr!FltpPassThroughInternal+0x32 950fe638 b9dc3742 950fe650 89800168 891ce150 fltMgr!FltpCreateInternal+0x63 950fe66c 804ef1f9 8986cee8 891ce140 891ce140 fltMgr!FltpCreate+0x258 950fe67c 80583232 89965018 8912f364 950fe814 nt!IopfCallDriver+0x31 950fe75c 805bf4bc 89965030 00000000 8912f2c0 nt!IopParseDevice+0xa12 950fe7d4 805bba48 00000000 950fe814 00000240 nt!ObpLookupObjectName+0x53c 950fe828 80576051 00000000 00000000 1c001c00 nt!ObOpenObjectByName+0xea 950fe8a4 80576a3e 950fe958 00000001 950fe938 nt!IopCreateFile+0x407 950fe8ec 95a320f9 950fe958 00000001 950fe938 nt!IoCreateFileSpecifyDeviceObjectHint+0x52 950fe95c 95a32968 e2746320 8986cee8 00000001 savonaccesscontrol+0x120f9 950fe9e0 95a33c9d e30f7f40 00000000 00000000 savonaccesscontrol+0x12968 950fe9f4 95a34024 e30f7f40 890c1008 890c10c0 savonaccesscontrol+0x13c9d 950fea18 95a34301 897ea580 890c1018 897ea580 savonaccesscontrol+0x14024 950fea48 969a4e18 897ea580 890c1008 896f34f0 savonaccesscontrol+0x14301 950fea5c 804ef1f9 897ea580 890c1008 890c1008 savonaccessfilter+0x2e18 950fea6c 80583232 89965018 891d5b0c 950fec04 nt!IopfCallDriver+0x31 950feb4c 805bf4bc 89965030 00000000 891d5a68 nt!IopParseDevice+0xa12 950febc4 805bba48 00000000 950fec04 00000040 nt!ObpLookupObjectName+0x53c 950fec18 80576051 00000000 00000000 1937f801 nt!ObOpenObjectByName+0xea 950fec94 805769c8 0012df7c 00100001 0012df24 nt!IopCreateFile+0x407 950fecf0 805790d2 0012df7c 00100001 0012df24 nt!IoCreateFile+0x8e 950fed30 805417e8 0012df7c 00100001 0012df24 nt!NtCreateFile+0x30 950fed30 7c91e514 0012df7c 00100001 0012df24 nt!KiSystemServicePostCall 0012df44 00000000 00000000 00000000 00000000 0x7c91e514 STACK_COMMAND: kb FOLLOWUP_IP: DPAccCtl+b031 b9da8031 ?? ??? SYMBOL_STACK_INDEX: 3 SYMBOL_NAME: DPAccCtl+b031 FOLLOWUP_NAME: MachineOwner MODULE_NAME: DPAccCtl IMAGE_NAME: DPAccCtl.sys DEBUG_FLR_IMAGE_TIMESTAMP: 4ee7070f FAILURE_BUCKET_ID: 0x50_DPAccCtl+b031 BUCKET_ID: 0x50_DPAccCtl+b031 Followup: MachineOwner ---------
Does this information help you for troubleshoot this?
thanks and kind regards
Frank-Michael
Hello Frank-Michael,
I see DPAccCtl.sys, which is according to Microsoft a minifilter ("Security Enhancer") from EgoSecure/cynapspro. Which product do you have installed?
Guess you should give Support a call as there seems to be some incompatibility.
Christian
Hello Frank-Michael,
the competitor removal tool (crt, or tps in the UTM and Cloud incarnation) should detect installed security products and if possible attempt to uninstall them. If not possible or if the uninstall fails the Sophos install sequence is aborted.
Looking at the List of third-party security software removed by Sophos Endpoint Security and Control I can't find EgoSecure among them. Linked from this article is Sophos Competitor Removal Tool: significant files and information which also contains a paragraph on Requesting updates to the CRT.
Christian
