A crash dump analysis shows it was probably caused by SymEvent
search cancel

A crash dump analysis shows it was probably caused by SymEvent

book

Article ID: 164962

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

When using the Windows Debugger (WinDBG) to analyze a crash dump of a system on which Symantec Endpoint Protection (SEP) is installed, the !analyze -v output indicates the issue is probably caused by SymEvent (our Event Library driver).

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck <code>, {<parameters>}

Probably caused by : SYMEVENT.SYS ( SYMEVENT+<offset> )

Followup:     MachineOwner
--------

Environment

SEP (all versions)

Cause

When a system crashes, SymEvent will capture the API event (e.g. process termination event) that led to the crash, which is why it is a common sight in a crash dump. As Microsoft's automated analysis tends to single out non-Microsoft drivers, it is indicated to be the likely culprit. To determine the actual root cause –in the overwhelming majority of cases a non-Symantec component– one needs to look below the surface. While the Solution field includes some basic guidance for this, you are welcome to engage us if you require any assistance.

Resolution

To attempt to determine the actual root cause:

  1. Investigate the !analyze -v output:

    • Does the PROCESS_NAME show a Symantec (e.g ccSvcHst.exe) or third-party process? While the former warrants further investigation by us, if the latter is the case, it is recommended to contact the third-party vendor, as only they will have the private symbols required to determine the root cause.

    • Does disassembling or dumping the LAST_CONTROL_TRANSFER "to" address (u <address> or dps <address>) show any reference to sysfer.dll? If so, please create an Application Control exception for the PROCESS_NAME, which could resolve the issue.

  2. If the dump is a complete or kernel memory dump, use !locks (display information about kernel ERESOURCE locks), then use !thread to dump the individual thread information. Do any of them show Symantec components?

  3. If the dump is a minidump, does ~*kv show any Symantec components?

  4. If the dump is a process dump, does !peb (display Process Environment Block) show any Symantec components loaded in the process?

Symantec components include:
  • bhdrvx* (Behavioral Analysis And Security Heuristics driver)
  • ccset* (Common Client Settings driver) 
  • ex* (AV Engine driver)
  • idsvi* or idsxp* (Core IDS driver)
  • iron* (IRON driver)
  • srtsp* (AutoProtect driver)
  • sisips* or sisids* (SCSP IPS or IDS driver)
  • symefa* (Extended File Attributes driver)
  • symtdi or symnets (Network Security driver) 
  • sysfer (Application Control user mode component)
  • sysplant (Symantec CMC Firewall SysPlant driver) 
  • teefer (Symantec CMC Firewall Teefer3 driver) 
 
If the dump that was generated is a minidump, it will be necessary to generate a complete memory dump prior to contacting Symantec Support. If sufficient disk space –equal to or greater than the amount of system memory– is not available, then opt to generate a kernel memory dump instead. Use the following procedure:

  1. Open Registry Editor (regedit.exe).

  2. Navigate to HKLM\SYSTEM\CurrentControlSet\Control\CrashControl.

  3. Double-click CrashDumpEnabled and change the value to 1 (1 = complete dump, 2 = kernel dump), then click OK.

  4. Close Registry Editor.

  5. Click the Start button, right-click Computer and select Properties. Click Advanced System Settings.

  6. In the Performance area, click the Settings... button.

  7. In the Performance Options window, navigate to the Advanced tab, then click the Change... button.

  8. Click the Custom size radio button, then set both Initial size (MB) and Maximum size (MB) to at least the amount of system memory + 257 MB, by entering the correct value in each field and clicking the Set button when done. E.g. if the system has 4 GB of memory, set both fields to (4 x 1024) + 257 = 4353 MB. If the system has 8 GB of memory, set both fields to (8 x 1024) + 257 = 8449 MB.

  9. After having made these changes, restart the system.

Following the reproduction of the issue, after opening a case with Symantec, upload the dump to the case using SymDiag:

  1. Download and run SymDiaghttp://entced.symantec.com/symhelp/2/dl.

  2. Click Collect Data for Support.

  3. In the Select Products section, tick Endpoint Protection Client and click Next.

  4. In the Select Data Type section, under Data Type, select All data, tick Choose additional files to collect and click Next.

  5. Below Choose additional files to collect, click the Browse... button, navigate to and select the dump created in the previous step (typically C:\Windows\MEMORY.DMP), click the Open button, then click the Next button.

  6. After the data collection has finished, enter customer name, company, case number, contact information and a brief description of the issue, then click the Open or Update a Support Case button. Enter user name and password, then click the Login button.

Alternatively, you may zip the dump and deliver it to us using a delivery method agreed upon with your Technical Support Engineer.

Powered by Wolken Software