'Blue Screen' Error Caused by Symantec AntiVirus Clash with VMware

If you're running VMware and update your Symantec AntiVirus Corporate Edition, you may be heading for a "Blue Screen" crash -- i.e., a bug check error, value of 0x0000008 (otherwise known as a Stop8 error), in Windows Server 2003. In a statement e-mailed to this site today, a Symantec spokesperson verified that the company is […]

If you're running VMware and update your Symantec AntiVirus Corporate Edition, you may be heading for a "Blue Screen" crash -- i.e., a bug check error, value of 0x0000008 (otherwise known as a Stop8 error), in Windows Server 2003.

In a statement e-mailed to this site today, a Symantec spokesperson verified that the company is "working closely" with VMware in identifying "a potential compatibility issue between Symantec AntiVirus and some versions of VMware." According to Symantec, the issue is affecting a "very small" number of users.

The spokesperson said that the company can't verify at this time exactly which versions of AntiVirus may be involved in the error, but it is "working to identify the cause of the issue and ensure that it does not happen again." Customers who encounter the error are encouraged to contact Symantec support.

The issue came to light yesterday due to a blog post (since removed) on Microsoft's Ask the Core Team blog. Below is the original post in its entirety:

Our team is seeing a number of customers calling in with Bluescreen Stop 0x8E errors after an update to Symantec Antivirus 10.

For example: BugCheck 8E, {c0000005, f4a0e223, f55bf76c, 0}

Debug output will vary but is typically:

BUG CHECK DATA - Q103059 ------------------------------------------------------------ STOP: 0x0000008e 0xc0000005 0xf4a0e223 0xf55bf76c 0x00000000

STACK

STACK_TEXT: f642633c 8085b4af 0000008e c0000005 f5148223 nt!KeBugCheckEx+0x1b f6426700 808357a4 f642671c 00000000 f6426770 nt!KiDispatchException+0x3a2 f6426768 80835758 f64267e4 f5148223 badb0d00 nt!CommonDispatchException+0x4a f6426780 8089c27a 863cf008 e53e74d0 e1fa5008 nt!KiExceptionExit+0x186 f64267e4 f6e7d4ff f6eaafb8 e5330428 e2c95755 nt!ExFreePoolWithTag+0x277 WARNING: Stack unwind information not available. Following frames may be wrong. f6426814 f6e7ddb6 f6426840 f642683c f642684c savrt+0x234ff 00000000 00000000 00000000 00000000 00000000 savrt+0x23db6

After setting the trap frame, the stack and registers will normally appear as

eax=75100824 ebx=e53e74d0 ecx=f50f7400 edx=e2c95755 esi=e5330428 edi=f642683c eip=f5148223 esp=f64267e4 ebp=f64267e4 iopl=0 nv up ei pl nz na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206 navex15+0x51223: f5148223 8138dedaaeab cmp dword ptr [eax],0ABAEDADEh ds:0023:75100824=????????

*** Stack trace for last set context - .thread/.cxr resets it ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. f64267e4 f6e7d4ff f6eaafb8 e5330428 e2c95755 navex15+0x51223 f6426814 f6e7ddb6 f6426840 f642683c f642684c savrt+0x234ff 00000000 00000000 00000000 00000000 00000000 savrt+0x23db6

At this point, we believe the system is crashing due to a version mismatch between an updated version of Navex15 and older versions of Savrt and symevent.

Image name: navex15.sys Timestamp: Mon Feb 11 13:41:31 2008 (47B0A4EB) Image name: SYMEVENT.SYS Timestamp: Tue Apr 18 19:16:26 2006 (4445815A) Image name: savrt.sys Timestamp: Mon Dec 19 22:24:48 2005 (43A78790)

The versions listed for Symevent and Savrt may be different than the ones listed, but so far they have all been at least a year older than Navex15.sys.

Customers should contact Symantec for support. As a workaround we can try the following

WORKAROUND

Uninstall Symantec Antivirus 10 and then reinstall the updated version. This should put the correct version of files in place.

Full Article

Virtualization, VMware, Symantec, SAVCE, Symantech AntiVirus, Corporate Edition, Blue Screen