BugCheck 0x3B due to SysPlant on a system running Endpoint Protection
Last Updated May 17, 2019
After installing Symantec Endpoint Protection (SEP) 14.0 or higher with the Application and Device Control (ADC) feature, you experience a crash with BugCheck 0x3B (SYSTEM_SERVICE_EXCEPTION). Microsoft's Windows Debugger (WinDBG) points to SysPlant as the culprit.
SEP 14.0 or higher
WinDBG shows the following chain of events (read from bottom to top):
0: kd> kc
# Call Site
08 SysPlant -> Process Tracker: reference process name
09 SysPlant -> Process Tracker: add parent process name link
0a SysPlant-> Process Tracker: copy parent process name
0b SysPlant-> Process Tracker: process new process
0c SysPlant -> Process Tracker: call create process notify routine
The installation of SEP's ADC feature results in SysPlant (SEP's ADC kernel mode driver) calling its create process notify routine whenever a new user process is created. While SysPlant copies the parent process information in one thread, the same information may be unexpectedly updated in another thread, causing Sysplant's consequent attempt to dereference the process information structure's parent process name listhead to end in a general protection fault.
This issue was resolved in SEP 14.2 RU1, by adding a synchronization mechanism for the core data structure used by SysPlant, ensuring consistency not only when launching a new process, but also when terminating one, accessing files, loading a DLL, accessing the registry, etc.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe