BSOD from Norton (NIS) ---IDSvia64.sys?

I have had repeated BSOD on a new Windows 8.1 (dell XPS 12).  I have NIS 21.1.0.18.  i have run the windows debugger and it points to IDSvia64.sys as part of Norton.  Here is my latest minidump.

Any advice?

 

Thanks,

Chris

Houston, TX

USA

 

!analyze -v
**************************************************

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 0000000000000007, Attempt to free pool which was already freed
Arg2: 0000000000001205, (reserved)
Arg3: 0000000000000000, Memory contents of the pool block
Arg4: ffffe0000775f620, Address of the block of pool being deallocated

Debugging Details:
------------------

*** WARNING: Unable to verify timestamp for IDSvia64.sys
*** ERROR: Module load completed but symbols could not be loaded for IDSvia64.sys

ffffe0000775f610 doesn't look like a valid small pool allocation, checking to see
if the entire page is actually part of a large page allocation...

GetUlongFromAddress: unable to read from fffff801ed8a8400

POOL_ADDRESS: ffffe0000775f620

BUGCHECK_STR: 0xc2_7

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

PROCESS_NAME: System

CURRENT_IRQL: 2

ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) x86fre

LAST_CONTROL_TRANSFER: from fffff801ed8953ca to fffff801ed750ca0

STACK_TEXT:
ffffd000`20b8d868 fffff801`ed8953ca : 00000000`000000c2 00000000`00000007 00000000`00001205 00000000`00000000 : nt!KeBugCheckEx
ffffd000`20b8d870 fffff800`0200d397 : fffff801`ed8a21c0 ffffe000`0047c400 ffffe000`07762940 00000000`36313249 : nt!ExFreePoolWithTag+0x10fa
ffffd000`20b8d940 fffff801`ed8a21c0 : ffffe000`0047c400 ffffe000`07762940 00000000`36313249 ffffe000`0047c400 : IDSvia64+0xd397
ffffd000`20b8d948 ffffe000`0047c400 : ffffe000`07762940 00000000`36313249 ffffe000`0047c400 fffff800`0200d585 : nt!ExNode0+0xc0
ffffd000`20b8d950 ffffe000`07762940 : 00000000`36313249 ffffe000`0047c400 fffff800`0200d585 00000000`0000000f : 0xffffe000`0047c400
ffffd000`20b8d958 00000000`36313249 : ffffe000`0047c400 fffff800`0200d585 00000000`0000000f ffffd000`20b8d978 : 0xffffe000`07762940
ffffd000`20b8d960 ffffe000`0047c400 : fffff800`0200d585 00000000`0000000f ffffd000`20b8d978 ffffd000`20b8d978 : 0x36313249
ffffd000`20b8d968 fffff800`0200d585 : 00000000`0000000f ffffd000`20b8d978 ffffd000`20b8d978 00000000`37313249 : 0xffffe000`0047c400
ffffd000`20b8d970 00000000`0000000f : ffffd000`20b8d978 ffffd000`20b8d978 00000000`37313249 ffffe000`0047c400 : IDSvia64+0xd585
ffffd000`20b8d978 ffffd000`20b8d978 : ffffd000`20b8d978 00000000`37313249 ffffe000`0047c400 fffff800`0200cd0e : 0xf
ffffd000`20b8d980 ffffd000`20b8d978 : 00000000`37313249 ffffe000`0047c400 fffff800`0200cd0e 00000000`00000010 : 0xffffd000`20b8d978
ffffd000`20b8d988 00000000`37313249 : ffffe000`0047c400 fffff800`0200cd0e 00000000`00000010 00000000`00000000 : 0xffffd000`20b8d978
ffffd000`20b8d990 ffffe000`0047c400 : fffff800`0200cd0e 00000000`00000010 00000000`00000000 ffffe000`0ab699e0 : 0x37313249
ffffd000`20b8d998 fffff800`0200cd0e : 00000000`00000010 00000000`00000000 ffffe000`0ab699e0 fffff800`02074eb8 : 0xffffe000`0047c400
ffffd000`20b8d9a0 00000000`00000010 : 00000000`00000000 ffffe000`0ab699e0 fffff800`02074eb8 ffffe000`0047c468 : IDSvia64+0xcd0e
ffffd000`20b8d9a8 00000000`00000000 : ffffe000`0ab699e0 fffff800`02074eb8 ffffe000`0047c468 00000000`00000000 : 0x10


STACK_COMMAND: kb

FOLLOWUP_IP:
IDSvia64+d397
fffff800`0200d397 ?? ???

SYMBOL_STACK_INDEX: 2

SYMBOL_NAME: IDSvia64+d397

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: IDSvia64

IMAGE_NAME: IDSvia64.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 52d0c113

FAILURE_BUCKET_ID: 0xc2_7_IDSvia64+d397

BUCKET_ID: 0xc2_7_IDSvia64+d397

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0xc2_7_idsvia64+d397

FAILURE_ID_HASH: {ed2c38dc-2516-b1e8-147c-4e3bca4e57f9}

Followup: MachineOwner
---------

1: kd> lmvm IDSvia64
start end module name
fffff800`02000000 fffff800`02084000 IDSvia64 T (no symbols)
Loaded symbol image file: IDSvia64.sys
Image path: \??\C:\Program Files (x86)\Norton Internet Security\NortonData\21.1.0.18\Definitions\IPSDefs\

 

Question Info


Last updated July 14, 2018 Views 4,649 Applies to:
Answer
Hi,

I would need the actual dump to further debug this and check the pools, but from the stack you've shown it appears that IDSvia64.sys which is a component of Norton is causing memory corruption, likely from NETBIOS conflicts. This is no surprise, stay away from Norton.

Remove and replace Norton with Windows 8's built-in Windows Defender for temporary troubleshooting purposes:

Norton removal - https://support.norton.com/sp/en/us/home/current/solutions/kb20080710133834EN_EndUserProfile_en_us;jsessionid=841A6D40BA6872C47697C6C6B19C8E11.4?entsrc=redirect_pubweb&pvid=f-home

Windows Defender (how to turn on after removal) - http://www.eightforums.com/tutorials/21962-windows-defender-turn-off-windows-8-a.html

Regards,

Patrick
Debugger/Reverse Engineer.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.