Question
3929 views

BSOD from Norton (NIS) ---IDSvia64.sys?

Christopher Greeley asked on

I have had repeated BSOD on a new Windows 8.1 (dell XPS 12).  I have NIS 21.1.0.18.  i have run the windows debugger and it points to IDSvia64.sys as part of Norton.  Here is my latest minidump.

Any advice?

 

Thanks,

Chris

Houston, TX

USA

 

!analyze -v
**************************************************

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 0000000000000007, Attempt to free pool which was already freed
Arg2: 0000000000001205, (reserved)
Arg3: 0000000000000000, Memory contents of the pool block
Arg4: ffffe0000775f620, Address of the block of pool being deallocated

Debugging Details:
------------------

*** WARNING: Unable to verify timestamp for IDSvia64.sys
*** ERROR: Module load completed but symbols could not be loaded for IDSvia64.sys

ffffe0000775f610 doesn't look like a valid small pool allocation, checking to see
if the entire page is actually part of a large page allocation...

GetUlongFromAddress: unable to read from fffff801ed8a8400

POOL_ADDRESS: ffffe0000775f620

BUGCHECK_STR: 0xc2_7

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

PROCESS_NAME: System

CURRENT_IRQL: 2

ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) x86fre

LAST_CONTROL_TRANSFER: from fffff801ed8953ca to fffff801ed750ca0

STACK_TEXT:
ffffd000`20b8d868 fffff801`ed8953ca : 00000000`000000c2 00000000`00000007 00000000`00001205 00000000`00000000 : nt!KeBugCheckEx
ffffd000`20b8d870 fffff800`0200d397 : fffff801`ed8a21c0 ffffe000`0047c400 ffffe000`07762940 00000000`36313249 : nt!ExFreePoolWithTag+0x10fa
ffffd000`20b8d940 fffff801`ed8a21c0 : ffffe000`0047c400 ffffe000`07762940 00000000`36313249 ffffe000`0047c400 : IDSvia64+0xd397
ffffd000`20b8d948 ffffe000`0047c400 : ffffe000`07762940 00000000`36313249 ffffe000`0047c400 fffff800`0200d585 : nt!ExNode0+0xc0
ffffd000`20b8d950 ffffe000`07762940 : 00000000`36313249 ffffe000`0047c400 fffff800`0200d585 00000000`0000000f : 0xffffe000`0047c400
ffffd000`20b8d958 00000000`36313249 : ffffe000`0047c400 fffff800`0200d585 00000000`0000000f ffffd000`20b8d978 : 0xffffe000`07762940
ffffd000`20b8d960 ffffe000`0047c400 : fffff800`0200d585 00000000`0000000f ffffd000`20b8d978 ffffd000`20b8d978 : 0x36313249
ffffd000`20b8d968 fffff800`0200d585 : 00000000`0000000f ffffd000`20b8d978 ffffd000`20b8d978 00000000`37313249 : 0xffffe000`0047c400
ffffd000`20b8d970 00000000`0000000f : ffffd000`20b8d978 ffffd000`20b8d978 00000000`37313249 ffffe000`0047c400 : IDSvia64+0xd585
ffffd000`20b8d978 ffffd000`20b8d978 : ffffd000`20b8d978 00000000`37313249 ffffe000`0047c400 fffff800`0200cd0e : 0xf
ffffd000`20b8d980 ffffd000`20b8d978 : 00000000`37313249 ffffe000`0047c400 fffff800`0200cd0e 00000000`00000010 : 0xffffd000`20b8d978
ffffd000`20b8d988 00000000`37313249 : ffffe000`0047c400 fffff800`0200cd0e 00000000`00000010 00000000`00000000 : 0xffffd000`20b8d978
ffffd000`20b8d990 ffffe000`0047c400 : fffff800`0200cd0e 00000000`00000010 00000000`00000000 ffffe000`0ab699e0 : 0x37313249
ffffd000`20b8d998 fffff800`0200cd0e : 00000000`00000010 00000000`00000000 ffffe000`0ab699e0 fffff800`02074eb8 : 0xffffe000`0047c400
ffffd000`20b8d9a0 00000000`00000010 : 00000000`00000000 ffffe000`0ab699e0 fffff800`02074eb8 ffffe000`0047c468 : IDSvia64+0xcd0e
ffffd000`20b8d9a8 00000000`00000000 : ffffe000`0ab699e0 fffff800`02074eb8 ffffe000`0047c468 00000000`00000000 : 0x10


STACK_COMMAND: kb

FOLLOWUP_IP:
IDSvia64+d397
fffff800`0200d397 ?? ???

SYMBOL_STACK_INDEX: 2

SYMBOL_NAME: IDSvia64+d397

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: IDSvia64

IMAGE_NAME: IDSvia64.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 52d0c113

FAILURE_BUCKET_ID: 0xc2_7_IDSvia64+d397

BUCKET_ID: 0xc2_7_IDSvia64+d397

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0xc2_7_idsvia64+d397

FAILURE_ID_HASH: {ed2c38dc-2516-b1e8-147c-4e3bca4e57f9}

Followup: MachineOwner
---------

1: kd> lmvm IDSvia64
start end module name
fffff800`02000000 fffff800`02084000 IDSvia64 T (no symbols)
Loaded symbol image file: IDSvia64.sys
Image path: \??\C:\Program Files (x86)\Norton Internet Security\NortonData\21.1.0.18\Definitions\IPSDefs\

2 people had this question

Abuse history


The answered status icon Answer
Patrick Barker replied on
Hi,

I would need the actual dump to further debug this and check the pools, but from the stack you've shown it appears that IDSvia64.sys which is a component of Norton is causing memory corruption, likely from NETBIOS conflicts. This is no surprise, stay away from Norton.

Remove and replace Norton with Windows 8's built-in Windows Defender for temporary troubleshooting purposes:

Norton removal - https://support.norton.com/sp/en/us/home/current/solutions/kb20080710133834EN_EndUserProfile_en_us;jsessionid=841A6D40BA6872C47697C6C6B19C8E11.4?entsrc=redirect_pubweb&pvid=f-home

Windows Defender (how to turn on after removal) - http://www.eightforums.com/tutorials/21962-windows-defender-turn-off-windows-8-a.html

Regards,

Patrick
Debugger/Reverse Engineer.
Be the first person to mark this helpful

Abuse history


progress