Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 13 subscribers
  • Views 2393 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Bugcheck KERNEL_SECURITY_CHECK_FAILURE SSPService.exe, SophosSupport.sys

LHerzog

2 of our computers got BSOD today after a Sophos product update has been installed yesterday.

Both machines are EAP.

The BSOD occoured about 1h after power on during a zoom video meeting session.

with or before the BSOD a minidump has been written at 9:41 caused by SophosSupport.sys

Bugcheck Analysis:

Microsoft (R) Windows Debugger Version 10.0.22549.1000 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.

Symbol search path is: srv*
Executable search path is: 
Windows 10 Kernel Version 19041 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff805`47200000 PsLoadedModuleList = 0xfffff805`47e2a2d0
Debug session time: Fri Apr  8 09:41:40.278 2022 (UTC + 2:00)
System Uptime: 0 days 1:31:30.254
Loading Kernel Symbols
...............................................................
...........Page 45ac19 not present in the dump file. Type ".hh dbgerr004" for details
.....................................................
................................................................
...................................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 00000095`a2082018).  Type ".hh dbgerr001" for details
Loading unloaded module list
...............
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff805`475f7620 48894c2408      mov     qword ptr [rsp+8],rcx ss:0018:ffffab82`b1595eb0=0000000000000139
7: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure.  The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: ffffab82b15961d0, Address of the trap frame for the exception that caused the BugCheck
Arg3: ffffab82b1596128, Address of the exception record for the exception that caused the BugCheck
Arg4: 0000000000000000, Reserved

Debugging Details:
------------------

Unable to load image \SystemRoot\system32\DRIVERS\SophosIsolate.sys, Win32 error 0n2
Unable to load image \SystemRoot\system32\DRIVERS\SophosED.sys, Win32 error 0n2

KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 4249

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 22518

    Key  : Analysis.Init.CPU.mSec
    Value: 1561

    Key  : Analysis.Init.Elapsed.mSec
    Value: 26115

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 93

    Key  : FailFast.Name
    Value: CORRUPT_LIST_ENTRY

    Key  : FailFast.Type
    Value: 3

    Key  : WER.OS.Branch
    Value: vb_release

    Key  : WER.OS.Timestamp
    Value: 2019-12-06T14:06:00Z

    Key  : WER.OS.Version
    Value: 10.0.19041.1


FILE_IN_CAB:  MEMORY.DMP

BUGCHECK_CODE:  139

BUGCHECK_P1: 3

BUGCHECK_P2: ffffab82b15961d0

BUGCHECK_P3: ffffab82b1596128

BUGCHECK_P4: 0

TRAP_FRAME:  ffffab82b15961d0 -- (.trap 0xffffab82b15961d0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffd80ea89d2938 rbx=0000000000000000 rcx=0000000000000003
rdx=ffffd80eaabed150 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80547532ad2 rsp=ffffab82b1596360 rbp=ffff948df8854500
 r8=ffffab82b15963d0  r9=0000000000000001 r10=ffffd80ea89d2978
r11=0000000000010001 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na po cy
nt!FsRtlpOplockDequeueRH+0x3e:
fffff805`47532ad2 cd29            int     29h
Resetting default scope

EXCEPTION_RECORD:  ffffab82b1596128 -- (.exr 0xffffab82b1596128)
ExceptionAddress: fffff80547532ad2 (nt!FsRtlpOplockDequeueRH+0x000000000000003e)
   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 0000000000000003
Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY 

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

PROCESS_NAME:  SSPService.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE_STR:  c0000409

EXCEPTION_PARAMETER1:  0000000000000003

EXCEPTION_STR:  0xc0000409

STACK_TEXT:  
ffffab82`b1595ea8 fffff805`47609569     : 00000000`00000139 00000000`00000003 ffffab82`b15961d0 ffffab82`b1596128 : nt!KeBugCheckEx
ffffab82`b1595eb0 fffff805`47609990     : 00000000`00000000 00000000`00000000 00000000`00000001 ffffe2db`cc91d2c8 : nt!KiBugCheckDispatch+0x69
ffffab82`b1595ff0 fffff805`47607d23     : ffff948d`fb20e010 ffff948d`f46bc8b0 00000000`00000103 00000000`00000000 : nt!KiFastFailDispatch+0xd0
ffffab82`b15961d0 fffff805`47532ad2     : 0000a4a4`0000ffff 00000000`000000ff 00000000`00000000 ffff948d`f46bc8b0 : nt!KiRaiseSecurityCheckFailure+0x323
ffffab82`b1596360 fffff805`47574238     : ffff948d`f8854598 00000000`00000000 00000000`00000000 fffff805`4b34d000 : nt!FsRtlpOplockDequeueRH+0x3e
ffffab82`b1596390 fffff805`4788b08b     : 00000000`00000000 ffff948d`f46bcc98 ffffab82`b15965c8 ffff948d`00000001 : nt!FsRtlpRequestExclusiveOplock+0xb8
ffffab82`b1596460 fffff805`478fd691     : ffff948d`f8854598 fffff805`44de2334 ffff948d`f878f920 00000000`00000001 : nt!FsRtlpOplockFsctrlInternal+0x58b
ffffab82`b1596500 fffff805`44e25406     : ffff948d`f878f990 ffff948d`f878f920 fffff805`4b2cb000 fffff805`44de2334 : nt!FsRtlOplockFsctrlEx+0x11
ffffab82`b1596540 fffff805`4b2bf982     : ffff948e`067f90f8 ffff948d`f8854598 00000000`00000001 00000000`00000001 : FLTMGR!FltOplockFsctrlEx+0xc6
ffffab82`b1596580 fffff805`4b2ad6bc     : 00000000`00000001 00000000`00000001 ffff948e`067f90f8 00000000`00000000 : SophosIsolate+0x2f982
ffffab82`b15965c0 fffff805`4b2ad171     : 00000000`00000001 ffff948e`067f90f8 ffff948e`0a4a71e0 ffff948e`067f90f8 : SophosIsolate+0x1d6bc
ffffab82`b1596600 fffff805`4b2a60c9     : 00000000`00000000 ffffab82`b15966c0 00000000`00000000 00000000`00000000 : SophosIsolate+0x1d171
ffffab82`b1596650 fffff805`4b2a4197     : ffffab82`b1596800 ffffab82`b1596800 ffff948e`067f9100 ffffab82`b1596800 : SophosIsolate+0x160c9
ffffab82`b15966f0 fffff805`474f8618     : ffffab82`b1596800 ffff948d`f503d080 ffff948d`00000000 ffff948e`067f9090 : SophosIsolate+0x14197
ffffab82`b1596720 fffff805`474f858d     : fffff805`4b2a4170 ffffab82`b1596800 ffff948e`067f90f8 ffff948d`f8f6bdd0 : nt!KeExpandKernelStackAndCalloutInternal+0x78
ffffab82`b1596790 fffff805`4b2a3d89     : fffff805`4b0a19f0 fffff805`4b0a19f0 00000000`00000000 fffff805`47407805 : nt!KeExpandKernelStackAndCalloutEx+0x1d
ffffab82`b15967d0 fffff805`44dd638c     : ffff948e`067f9010 00000000`00000000 ffff948e`00000000 ffff948d`d34cb730 : SophosIsolate+0x13d89
ffffab82`b1596840 fffff805`44dd5fc5     : 00000000`00000000 ffff948e`0000000d ffff948e`06e0a500 00000000`00000000 : FLTMGR!FltpPerformPreCallbacksWorker+0x36c
ffffab82`b1596960 fffff805`44dd4ce2     : ffffab82`b1598000 ffffab82`b1591000 00000000`00000000 ffffab82`b1596a70 : FLTMGR!FltpPassThroughInternal+0x265
ffffab82`b15969b0 fffff805`44e0aabf     : 00000000`00000000 ffff948e`05487be8 00000000`00000000 ffff948d`cec33010 : FLTMGR!FltpPassThrough+0x5e2
ffffab82`b1596a40 fffff805`4748f835     : 00000000`000000a4 ffff948d`f46bc8b0 00000000`00000002 00000000`00000000 : FLTMGR!FltpFsControl+0xbf
ffffab82`b1596aa0 fffff805`47877208     : ffff948d`f46bc8b0 00000000`00000000 00000000`00000000 fffff805`00000000 : nt!IofCallDriver+0x55
ffffab82`b1596ae0 fffff805`47877007     : ffffffff`00000000 ffffab82`b1596e20 00000000`00040000 ffffab82`b1596e20 : nt!IopSynchronousServiceTail+0x1a8
ffffab82`b1596b80 fffff805`478e4836     : ffffab82`b1597038 00000000`00000000 fffff805`4b0cf730 ffff948d`f8f6bf50 : nt!IopXxxControlFile+0xc67
ffffab82`b1596cc0 fffff805`47608fb5     : ffffab82`b1596e79 ffffab82`b1597038 00000000`00000000 00000000`00000000 : nt!NtFsControlFile+0x56
ffffab82`b1596d30 fffff805`475fb480     : fffff805`4b0cfe2c ffff948d`cec40a70 ffff948e`06e03538 ffff948d`cec40a70 : nt!KiSystemServiceCopyEnd+0x25
ffffab82`b1596f38 fffff805`4b0cfe2c     : ffff948d`cec40a70 ffff948e`06e03538 ffff948d`cec40a70 fffff805`4b01f9d0 : nt!KiServiceLinkage
ffffab82`b1596f40 fffff805`4b0cc18a     : ffff948d`d5d74b50 ffff948e`06e034a0 ffffab82`b1590000 ffffab82`b1597208 : SophosED+0xcfe2c
ffffab82`b15970e0 fffff805`4b073198     : ffff948d`cec40a70 ffff948e`04a1f230 00000000`0000004c ffff948e`056c7a01 : SophosED+0xcc18a
ffffab82`b1597310 fffff805`4748f835     : ffff948d`cec40a70 ffff948e`04a1f230 ffff948d`fc603010 00000000`00000000 : SophosED+0x73198
ffffab82`b1597360 fffff805`47490e34     : 00000000`00000003 ffff948e`04a1f230 00000000`6d4e6f49 fffff805`47490a63 : nt!IofCallDriver+0x55
ffffab82`b15973a0 fffff805`4787891d     : ffffab82`b1597660 ffff948d`cec40a70 ffff948e`06e03538 ffff948d`00000000 : nt!IoCallDriverWithTracing+0x34
ffffab82`b15973f0 fffff805`477f307e     : ffff948d`cec40a70 00000000`0000000a ffff948d`fd35d010 00000000`00000001 : nt!IopParseDevice+0x117d
ffffab82`b1597560 fffff805`47895fda     : ffff948d`fd35d000 ffffab82`b15977c8 00000000`00000040 ffff948d`cc34a220 : nt!ObpLookupObjectName+0x3fe
ffffab82`b1597730 fffff805`47816e2f     : 00000000`00000000 00000095`a3ffecb8 00000095`a3ffece8 00000000`00000001 : nt!ObOpenObjectByNameEx+0x1fa
ffffab82`b1597860 fffff805`47816a09     : 00000095`a3ffeca0 00000000`00000000 00000095`a3ffecb8 00000095`a3ffece8 : nt!IopCreateFile+0x40f
ffffab82`b1597900 fffff805`47608fb5     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtCreateFile+0x79
ffffab82`b1597990 00007ffb`b90ad814     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25
00000095`a3ffec38 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffb`b90ad814


SYMBOL_NAME:  SophosIsolate+2f982

MODULE_NAME: SophosIsolate

IMAGE_NAME:  SophosIsolate.sys

STACK_COMMAND:  .cxr; .ecxr ; kb

BUCKET_ID_FUNC_OFFSET:  2f982

FAILURE_BUCKET_ID:  0x139_3_CORRUPT_LIST_ENTRY_SophosIsolate!unknown_function

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {be7a8fdb-3976-b71b-78bc-754ee303d169}

Followup:     MachineOwner
---------

Machines are working after reboot.

Known issue? Do we need to expect more machines failing?



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to Qoosh

    Thank you very much

    I had a skilled GES tech working on the case confirming what wou already wrote above.

    DPSGN-15830 - BSOD Bugcheck 0xA IRQL_NOT_LESS_OR_EQUAL referencing SophosIsolate.sys

    Already fixed with patch 34 and also with the latest 37 patch for Safeguard Encryption.

    We cannot confirm it 100% because this would take more time but I'm sure the technician knew what he talked about and that it is the solution.

Children
No Data
Unfiltered HTML