2 of our computers got BSOD today after a Sophos product update has been installed yesterday.
Both machines are EAP.
The BSOD occoured about 1h after power on during a zoom video meeting session.
with or before the BSOD a minidump has been written at 9:41 caused by SophosSupport.sys
Bugcheck Analysis:
Microsoft (R) Windows Debugger Version 10.0.22549.1000 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\Windows\MEMORY.DMP] Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available. Symbol search path is: srv* Executable search path is: Windows 10 Kernel Version 19041 MP (8 procs) Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Edition build lab: 19041.1.amd64fre.vb_release.191206-1406 Machine Name: Kernel base = 0xfffff805`47200000 PsLoadedModuleList = 0xfffff805`47e2a2d0 Debug session time: Fri Apr 8 09:41:40.278 2022 (UTC + 2:00) System Uptime: 0 days 1:31:30.254 Loading Kernel Symbols ............................................................... ...........Page 45ac19 not present in the dump file. Type ".hh dbgerr004" for details ..................................................... ................................................................ ................................................... Loading User Symbols PEB is paged out (Peb.Ldr = 00000095`a2082018). Type ".hh dbgerr001" for details Loading unloaded module list ............... For analysis of this file, run !analyze -v nt!KeBugCheckEx: fffff805`475f7620 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffab82`b1595eb0=0000000000000139 7: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* KERNEL_SECURITY_CHECK_FAILURE (139) A kernel component has corrupted a critical data structure. The corruption could potentially allow a malicious user to gain control of this machine. Arguments: Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove). Arg2: ffffab82b15961d0, Address of the trap frame for the exception that caused the BugCheck Arg3: ffffab82b1596128, Address of the exception record for the exception that caused the BugCheck Arg4: 0000000000000000, Reserved Debugging Details: ------------------ Unable to load image \SystemRoot\system32\DRIVERS\SophosIsolate.sys, Win32 error 0n2 Unable to load image \SystemRoot\system32\DRIVERS\SophosED.sys, Win32 error 0n2 KEY_VALUES_STRING: 1 Key : Analysis.CPU.mSec Value: 4249 Key : Analysis.DebugAnalysisManager Value: Create Key : Analysis.Elapsed.mSec Value: 22518 Key : Analysis.Init.CPU.mSec Value: 1561 Key : Analysis.Init.Elapsed.mSec Value: 26115 Key : Analysis.Memory.CommitPeak.Mb Value: 93 Key : FailFast.Name Value: CORRUPT_LIST_ENTRY Key : FailFast.Type Value: 3 Key : WER.OS.Branch Value: vb_release Key : WER.OS.Timestamp Value: 2019-12-06T14:06:00Z Key : WER.OS.Version Value: 10.0.19041.1 FILE_IN_CAB: MEMORY.DMP BUGCHECK_CODE: 139 BUGCHECK_P1: 3 BUGCHECK_P2: ffffab82b15961d0 BUGCHECK_P3: ffffab82b1596128 BUGCHECK_P4: 0 TRAP_FRAME: ffffab82b15961d0 -- (.trap 0xffffab82b15961d0) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=ffffd80ea89d2938 rbx=0000000000000000 rcx=0000000000000003 rdx=ffffd80eaabed150 rsi=0000000000000000 rdi=0000000000000000 rip=fffff80547532ad2 rsp=ffffab82b1596360 rbp=ffff948df8854500 r8=ffffab82b15963d0 r9=0000000000000001 r10=ffffd80ea89d2978 r11=0000000000010001 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei ng nz na po cy nt!FsRtlpOplockDequeueRH+0x3e: fffff805`47532ad2 cd29 int 29h Resetting default scope EXCEPTION_RECORD: ffffab82b1596128 -- (.exr 0xffffab82b1596128) ExceptionAddress: fffff80547532ad2 (nt!FsRtlpOplockDequeueRH+0x000000000000003e) ExceptionCode: c0000409 (Security check failure or stack buffer overrun) ExceptionFlags: 00000001 NumberParameters: 1 Parameter[0]: 0000000000000003 Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY BLACKBOXBSD: 1 (!blackboxbsd) BLACKBOXNTFS: 1 (!blackboxntfs) BLACKBOXPNP: 1 (!blackboxpnp) BLACKBOXWINLOGON: 1 PROCESS_NAME: SSPService.exe ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. EXCEPTION_CODE_STR: c0000409 EXCEPTION_PARAMETER1: 0000000000000003 EXCEPTION_STR: 0xc0000409 STACK_TEXT: ffffab82`b1595ea8 fffff805`47609569 : 00000000`00000139 00000000`00000003 ffffab82`b15961d0 ffffab82`b1596128 : nt!KeBugCheckEx ffffab82`b1595eb0 fffff805`47609990 : 00000000`00000000 00000000`00000000 00000000`00000001 ffffe2db`cc91d2c8 : nt!KiBugCheckDispatch+0x69 ffffab82`b1595ff0 fffff805`47607d23 : ffff948d`fb20e010 ffff948d`f46bc8b0 00000000`00000103 00000000`00000000 : nt!KiFastFailDispatch+0xd0 ffffab82`b15961d0 fffff805`47532ad2 : 0000a4a4`0000ffff 00000000`000000ff 00000000`00000000 ffff948d`f46bc8b0 : nt!KiRaiseSecurityCheckFailure+0x323 ffffab82`b1596360 fffff805`47574238 : ffff948d`f8854598 00000000`00000000 00000000`00000000 fffff805`4b34d000 : nt!FsRtlpOplockDequeueRH+0x3e ffffab82`b1596390 fffff805`4788b08b : 00000000`00000000 ffff948d`f46bcc98 ffffab82`b15965c8 ffff948d`00000001 : nt!FsRtlpRequestExclusiveOplock+0xb8 ffffab82`b1596460 fffff805`478fd691 : ffff948d`f8854598 fffff805`44de2334 ffff948d`f878f920 00000000`00000001 : nt!FsRtlpOplockFsctrlInternal+0x58b ffffab82`b1596500 fffff805`44e25406 : ffff948d`f878f990 ffff948d`f878f920 fffff805`4b2cb000 fffff805`44de2334 : nt!FsRtlOplockFsctrlEx+0x11 ffffab82`b1596540 fffff805`4b2bf982 : ffff948e`067f90f8 ffff948d`f8854598 00000000`00000001 00000000`00000001 : FLTMGR!FltOplockFsctrlEx+0xc6 ffffab82`b1596580 fffff805`4b2ad6bc : 00000000`00000001 00000000`00000001 ffff948e`067f90f8 00000000`00000000 : SophosIsolate+0x2f982 ffffab82`b15965c0 fffff805`4b2ad171 : 00000000`00000001 ffff948e`067f90f8 ffff948e`0a4a71e0 ffff948e`067f90f8 : SophosIsolate+0x1d6bc ffffab82`b1596600 fffff805`4b2a60c9 : 00000000`00000000 ffffab82`b15966c0 00000000`00000000 00000000`00000000 : SophosIsolate+0x1d171 ffffab82`b1596650 fffff805`4b2a4197 : ffffab82`b1596800 ffffab82`b1596800 ffff948e`067f9100 ffffab82`b1596800 : SophosIsolate+0x160c9 ffffab82`b15966f0 fffff805`474f8618 : ffffab82`b1596800 ffff948d`f503d080 ffff948d`00000000 ffff948e`067f9090 : SophosIsolate+0x14197 ffffab82`b1596720 fffff805`474f858d : fffff805`4b2a4170 ffffab82`b1596800 ffff948e`067f90f8 ffff948d`f8f6bdd0 : nt!KeExpandKernelStackAndCalloutInternal+0x78 ffffab82`b1596790 fffff805`4b2a3d89 : fffff805`4b0a19f0 fffff805`4b0a19f0 00000000`00000000 fffff805`47407805 : nt!KeExpandKernelStackAndCalloutEx+0x1d ffffab82`b15967d0 fffff805`44dd638c : ffff948e`067f9010 00000000`00000000 ffff948e`00000000 ffff948d`d34cb730 : SophosIsolate+0x13d89 ffffab82`b1596840 fffff805`44dd5fc5 : 00000000`00000000 ffff948e`0000000d ffff948e`06e0a500 00000000`00000000 : FLTMGR!FltpPerformPreCallbacksWorker+0x36c ffffab82`b1596960 fffff805`44dd4ce2 : ffffab82`b1598000 ffffab82`b1591000 00000000`00000000 ffffab82`b1596a70 : FLTMGR!FltpPassThroughInternal+0x265 ffffab82`b15969b0 fffff805`44e0aabf : 00000000`00000000 ffff948e`05487be8 00000000`00000000 ffff948d`cec33010 : FLTMGR!FltpPassThrough+0x5e2 ffffab82`b1596a40 fffff805`4748f835 : 00000000`000000a4 ffff948d`f46bc8b0 00000000`00000002 00000000`00000000 : FLTMGR!FltpFsControl+0xbf ffffab82`b1596aa0 fffff805`47877208 : ffff948d`f46bc8b0 00000000`00000000 00000000`00000000 fffff805`00000000 : nt!IofCallDriver+0x55 ffffab82`b1596ae0 fffff805`47877007 : ffffffff`00000000 ffffab82`b1596e20 00000000`00040000 ffffab82`b1596e20 : nt!IopSynchronousServiceTail+0x1a8 ffffab82`b1596b80 fffff805`478e4836 : ffffab82`b1597038 00000000`00000000 fffff805`4b0cf730 ffff948d`f8f6bf50 : nt!IopXxxControlFile+0xc67 ffffab82`b1596cc0 fffff805`47608fb5 : ffffab82`b1596e79 ffffab82`b1597038 00000000`00000000 00000000`00000000 : nt!NtFsControlFile+0x56 ffffab82`b1596d30 fffff805`475fb480 : fffff805`4b0cfe2c ffff948d`cec40a70 ffff948e`06e03538 ffff948d`cec40a70 : nt!KiSystemServiceCopyEnd+0x25 ffffab82`b1596f38 fffff805`4b0cfe2c : ffff948d`cec40a70 ffff948e`06e03538 ffff948d`cec40a70 fffff805`4b01f9d0 : nt!KiServiceLinkage ffffab82`b1596f40 fffff805`4b0cc18a : ffff948d`d5d74b50 ffff948e`06e034a0 ffffab82`b1590000 ffffab82`b1597208 : SophosED+0xcfe2c ffffab82`b15970e0 fffff805`4b073198 : ffff948d`cec40a70 ffff948e`04a1f230 00000000`0000004c ffff948e`056c7a01 : SophosED+0xcc18a ffffab82`b1597310 fffff805`4748f835 : ffff948d`cec40a70 ffff948e`04a1f230 ffff948d`fc603010 00000000`00000000 : SophosED+0x73198 ffffab82`b1597360 fffff805`47490e34 : 00000000`00000003 ffff948e`04a1f230 00000000`6d4e6f49 fffff805`47490a63 : nt!IofCallDriver+0x55 ffffab82`b15973a0 fffff805`4787891d : ffffab82`b1597660 ffff948d`cec40a70 ffff948e`06e03538 ffff948d`00000000 : nt!IoCallDriverWithTracing+0x34 ffffab82`b15973f0 fffff805`477f307e : ffff948d`cec40a70 00000000`0000000a ffff948d`fd35d010 00000000`00000001 : nt!IopParseDevice+0x117d ffffab82`b1597560 fffff805`47895fda : ffff948d`fd35d000 ffffab82`b15977c8 00000000`00000040 ffff948d`cc34a220 : nt!ObpLookupObjectName+0x3fe ffffab82`b1597730 fffff805`47816e2f : 00000000`00000000 00000095`a3ffecb8 00000095`a3ffece8 00000000`00000001 : nt!ObOpenObjectByNameEx+0x1fa ffffab82`b1597860 fffff805`47816a09 : 00000095`a3ffeca0 00000000`00000000 00000095`a3ffecb8 00000095`a3ffece8 : nt!IopCreateFile+0x40f ffffab82`b1597900 fffff805`47608fb5 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtCreateFile+0x79 ffffab82`b1597990 00007ffb`b90ad814 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25 00000095`a3ffec38 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffb`b90ad814 SYMBOL_NAME: SophosIsolate+2f982 MODULE_NAME: SophosIsolate IMAGE_NAME: SophosIsolate.sys STACK_COMMAND: .cxr; .ecxr ; kb BUCKET_ID_FUNC_OFFSET: 2f982 FAILURE_BUCKET_ID: 0x139_3_CORRUPT_LIST_ENTRY_SophosIsolate!unknown_function OS_VERSION: 10.0.19041.1 BUILDLAB_STR: vb_release OSPLATFORM_TYPE: x64 OSNAME: Windows 10 FAILURE_ID_HASH: {be7a8fdb-3976-b71b-78bc-754ee303d169} Followup: MachineOwner ---------
Machines are working after reboot.
Known issue? Do we need to expect more machines failing?
This thread was automatically locked due to age.