After installing SONAR definitions sequence 170306001 on a system with Symantec Endpoint Protection (SEP) 12.1 or 14, a Bug Check 0x19 (BAD_POOL_HEADER) occurs due to bhdrvx64.sys or bhdrvx86.sys, which is our Behavioral Analysis And Security Heuristics (BASH) driver.
A buffer overflow in BASH, caused by two signatures introduced in the March 6, 2017 definitions that use the loaded_modules attribute (which is where the problem lives).
The two offending signatures were pulled in the March 20, 2017 SONAR definitions release (sequence number 20170314001). They will be reintroduced after the problem in the BASH engine will be addressed.
Subscribing will provide email updates when this Article is updated. Login is required.