BSOD on Win7 Prof machine with EES

[pgalos 0]

Hello

 

Windows 7 Prof with SP1 with newest patches, ESET Remote Administrator Agent 6.4.283.0,
ESET Endpoint Security 6.4.2014.2.

Twice or three times a day user can see BSOD on this machine, and error is always the same:

 

0x000000f5 (0x000000000000006e, 0xfffffa80049c6880, 0xfffffa80049c6820, 0x0000000000000000).

 

NirSoft Blue Screen View displays drivers found in crash stack:

eamonm.sys    eamonm.sys+1bc9f    fffff880`02c0a000    fffff880`02cdb000    0x000d1000    0x5739d8c7    2016-05-16 16:27:19    ESET Security    Amon monitor    6.4.2012.0    ESET    C:\Windows\system32\drivers\eamonm.sys    

fltmgr.sys    fltmgr.sys+7012    fffff880`0113a000    fffff880`01186000    0x0004c000    0x4ce7929c    2010-11-20 11:19:24    System operacyjny Microsoft® Windows®    Menedżer filtrów systemu plików ###### Microsoft    6.1.7600.16385 (win7_rtm.090713-1255)    Microsoft Corporation    C:\Windows\system32\drivers\fltmgr.sys    

ZESFSMF.sys    ZESFSMF.sys+5f0d    fffff880`011e6000    fffff880`011fb000    0x00015000    0x52f4301e    2014-02-07 03:00:14    Novell ZENworks Endpoint Security    Novell ZESM File System Filter Driver    11.3.0.180    Novell, Inc    C:\Windows\system32\drivers\ZESFSMF.sys  

When I disable realtime scanning and application protocol filtering the problem goes away so this is something connected with EES.

 

Any ideas what could be the reason?

 

Regards

Pawel

[MartinK 378]

Could you also try to disable Novell ZENworks Endpoint Security instead of EES? Seems both products are monitoring filesystem.

[Marcos 5,070]

At least temporarily rename C:\Windows\system32\drivers\ZESFSMF.sys in safe mode and see if the issue occurs with ESET fully enabled.

[pgalos 0]

At least temporarily rename C:\Windows\system32\drivers\ZESFSMF.sys in safe mode and see if the issue occurs with ESET fully enabled.

I renamed ZESFSMF.sys two days ago, but there is no improvement.

There are still restarts but now system doesn't save dump files! In system event log I can only see that system was restarted without previous clear shutdown.

 

Nazwa dziennika:System

Źródło:        Microsoft-Windows-Kernel-Power

Data:          2016-10-05 00:54:27

Identyfikator zdarzenia:41

Kategoria zadania:(63)

Poziom:        Krytyczne

Słowa kluczowe:(2)

Użytkownik:    SYSTEM

Komputer:      h1mromanm

Opis:

System został uruchomiony ponownie bez uprzedniego czystego zamknięcia. Przyczyną tego błędu może być fakt, że system przestał odpowiadać, uległ awarii lub nastąpiła nieoczekiwana utrata zasilania.

Kod XML zdarzenia:

<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Microsoft-Windows-Kernel-Power" Guid="{331C3B3A-2005-44C2-AC5E-77220C37D6B4}" />

    <EventID>41</EventID>

    <Version>2</Version>

    <Level>1</Level>

    <Task>63</Task>

    <Opcode>0</Opcode>

    <Keywords>0x8000000000000002</Keywords>

    <TimeCreated SystemTime="2016-10-04T22:54:27.918004200Z" />

    <EventRecordID>168858</EventRecordID>

    <Correlation />

    <Execution ProcessID="4" ThreadID="8" />

    <Channel>System</Channel>

    <Computer>h1mromanm</Computer>

    <Security UserID="S-1-5-18" />

  </System>

  <EventData>

    <Data Name="BugcheckCode">245</Data>

    <Data Name="BugcheckParameter1">0x6e</Data>

    <Data Name="BugcheckParameter2">0xfffffa80049cf880</Data>

    <Data Name="BugcheckParameter3">0xfffffa80049cf820</Data>

    <Data Name="BugcheckParameter4">0x0</Data>

    <Data Name="SleepInProgress">false</Data>

    <Data Name="PowerButtonTimestamp">0</Data>

  </EventData>

</Event>

 

Now I completely removed ZENWorks Agent from this machine but I don't suppose that it is the problem. We succesfully use this software on about 80 other machines...

And one more thing which is important: after a little investigation I suppose that problem started after upgrade EES form verision 6.3.2016 to 6.4.2014.2.

 

Pawel

Edited October 5, 2016 by pgalos