Stop 0x8E errors after updating Symantec Antivirus 10
We are seeing cases with a Stop 0x8E errors after an update to Symantec Antivirus 10.
Prior to setting the trap frame the stack will normally look like
STACK_TEXT:
f642633c 8085b4af 0000008e c0000005 f5148223 nt!KeBugCheckEx+0x1b f6426700 808357a4 f642671c 00000000 f6426770 nt!KiDispatchException+0x3a2
f6426768 80835758 f64267e4 f5148223 badb0d00 nt!CommonDispatchException+0x4a f6426780 8089c27a 863cf008 e53e74d0 e1fa5008 nt!KiExceptionExit+0x186
f64267e4 f6e7d4ff f6eaafb8 e5330428 e2c95755 nt!ExFreePoolWithTag+0x277
WARNING: Stack unwind information not available. Following frames may be wrong.
f6426814 f6e7ddb6 f6426840 f642683c f642684c savrt+0x234ff 00000000 00000000 00000000 00000000 00000000 savrt+0x23db6
After setting the trap frame, the stack and registers will normally look like
eax=75100824 ebx=e53e74d0 ecx=f50f7400 edx=e2c95755 esi=e5330428 edi=f642683c
eip=f5148223 esp=f64267e4 ebp=f64267e4 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
navex15+0x51223:
f5148223 8138dedaaeab cmp dword ptr [eax],0ABAEDADEh ds:0023:75100824=????????
*** Stack trace for last set context - .thread/.cxr resets it ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
f64267e4 f6e7d4ff f6eaafb8 e5330428 e2c95755 navex15+0x51223
f6426814 f6e7ddb6 f6426840 f642683c f642684c savrt+0x234ff 00000000 00000000 00000000 00000000 00000000 savrt+0x23db6
At this point, we believe the system is crashing due to a version mismatch between an updated version of Navex15 and older versions of Savrt and symevent.
Image name: navex15.sys Timestamp: Mon Feb 11 13:41:31 2008 (47B0A4EB)
Image name: SYMEVENT.SYS Timestamp: Tue Apr 18 19:16:26 2006 (4445815A)
Image name: savrt.sys Timestamp: Mon Dec 19 22:24:48 2005 (43A78790)
The versions listed for Symevent and Savrt may be different than the ones listed, but so far they have all been at least a year older than Navex15.sys.
Customers should contact Symantec for support. As a workaround we can try the following
Have the customer uninstall Symantec Antivirus 10 and then reinstall the updated version.
This should hopefully put the correct version of files in place.
