News

UPDATED: 'Blue Screen' Error Caused by Symantec AntiVirus Clash with VMware

• By Becky Nagel
• 02/26/2008

In a statement e-mailed to this site today, a Symantec spokesperson verified that the company is "working closely" with VMware in identifying "a potential compatibility issue between Symantec AntiVirus and some versions of VMware." According to Symantec, the issue is affecting a "very small" number of users.

The spokesperson said that the company can't verify at this time exactly which versions of AntiVirus may be involved in the error, but it is "working to identify the cause of the issue and ensure that it does not happen again." Customers who encounter the error are encouraged to contact Symantec support.

The issue came to light yesterday due to a blog post (since removed) on Microsoft's Ask the Core Team blog. Below is the original post in its entirety:

Our team is seeing a number of customers calling in with Bluescreen Stop 0x8E errors after an update to Symantec Antivirus 10.

For example: BugCheck 8E, {c0000005, f4a0e223, f55bf76c, 0}

Debug output will vary but is typically:

BUG CHECK DATA - Q103059 ------------------------------------------------------------ STOP: 0x0000008e 0xc0000005 0xf4a0e223 0xf55bf76c 0x00000000

STACK

STACK_TEXT: f642633c 8085b4af 0000008e c0000005 f5148223 nt!KeBugCheckEx+0x1b f6426700 808357a4 f642671c 00000000 f6426770 nt!KiDispatchException+0x3a2 f6426768 80835758 f64267e4 f5148223 badb0d00 nt!CommonDispatchException+0x4a f6426780 8089c27a 863cf008 e53e74d0 e1fa5008 nt!KiExceptionExit+0x186 f64267e4 f6e7d4ff f6eaafb8 e5330428 e2c95755 nt!ExFreePoolWithTag+0x277 WARNING: Stack unwind information not available. Following frames may be wrong. f6426814 f6e7ddb6 f6426840 f642683c f642684c savrt+0x234ff 00000000 00000000 00000000 00000000 00000000 savrt+0x23db6

After setting the trap frame, the stack and registers will normally appear as

eax=75100824 ebx=e53e74d0 ecx=f50f7400 edx=e2c95755 esi=e5330428 edi=f642683c eip=f5148223 esp=f64267e4 ebp=f64267e4 iopl=0 nv up ei pl nz na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206 navex15+0x51223: f5148223 8138dedaaeab cmp dword ptr [eax],0ABAEDADEh ds:0023:75100824=????????

*** Stack trace for last set context - .thread/.cxr resets it ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. f64267e4 f6e7d4ff f6eaafb8 e5330428 e2c95755 navex15+0x51223 f6426814 f6e7ddb6 f6426840 f642683c f642684c savrt+0x234ff 00000000 00000000 00000000 00000000 00000000 savrt+0x23db6

At this point, we believe the system is crashing due to a version mismatch between an updated version of Navex15 and older versions of Savrt and symevent.

Image name: navex15.sys Timestamp: Mon Feb 11 13:41:31 2008 (47B0A4EB) Image name: SYMEVENT.SYS Timestamp: Tue Apr 18 19:16:26 2006 (4445815A) Image name: savrt.sys Timestamp: Mon Dec 19 22:24:48 2005 (43A78790)

The versions listed for Symevent and Savrt may be different than the ones listed, but so far they have all been at least a year older than Navex15.sys.

Customers should contact Symantec for support. As a workaround we can try the following

WORKAROUND

Uninstall Symantec Antivirus 10 and then reinstall the updated version. This should put the correct version of files in place.

MORE INFORMATION ABOUT BLUESCREEN STOP 8E

Bug Check 0x8E: KERNEL_MODE_EXCEPTION_NOT_HANDLED The KERNEL_MODE_EXCEPTION_NOT_HANDLED bug check has a value of 0x0000008E, and is a very common bug check. This bug check indicates that a kernel-mode application generated an exception that the error handler did not catch.

Parameters The following parameters appear on the blue screen.

Parameter Description 1 The exception code that was not handled 2 The address where the exception occurred 3 The trap frame 4 Reserved

For example: BugCheck 8E, {c0000005, f4a0e223, f55bf76c, 0}

The KERNEL_MODE_EXCEPTION_NOT_HANDLED bug check is a very common bug check. To interpret it, you must identify which exception was generated.

The exception code in the navex15.sys case is c0000005, this indicates that a memory access violation occurred.

Parameters 2, 3, and 4 (f4a0e223, f55bf76c, 0) in the above example) will vary.

AUTHOR: Robert Simpkins TECHNICAL LEAD ENTERPRISE PLATFORMS SUPPORT CORE

The above post was replaced yesterday with a shorter version that did not name the vendors, had fewer technical details and no workaround. As of this afternoon, the post is gone completely from the blog.

Microsoft refused to comment on the blog post's modification and removal, and yesterday refused to identify the vendor(s) involved (despite Symantec's name being in the blog post's URL). After this site e-mailed a spokesperson a copy of the original post today, the company issued the following statement: "The A/V issue initially reported on the blog was specifically with Symantec 10, and we're pleased that Symantec is investigating the issue further and will continue to work with Symantec to provide any assistance they need to resolve this."

Symantec said it was not aware of the original post and did not ask for it to be removed.

This site contacted VMware for a statement regarding the error and exactly what versions of VMware may be affected, but company representatives were traveling and could not be reached by press time.

We will update this story when information is provided.