Share on email
Share on print
Share on facebook
Share on google
Share on twitter
Share on linkedin

Blue Screen of Death issues when running NOD32 Anti-Virus

IMPORTANT: Updated information available here.

Hi everyone,

The BackupAssist help desk has had several reports of various Blue Screen of Death (BSOD) errors occurring either during or around the scheduled time of backup.

The known causes of a small number of these errors are directly related to BackupAssist, which are issues that our development team is working hard at resolving.

We have recently discovered, with the help of some of our Resellers, that one of these BSOD issues is caused by a process called ekrn.exe, which belongs to the NOD32 Anti-virus application.

We discovered this by debugging the crash dump file that is generated by Windows whenever a BSOD error occurs. The default location of the crash dump file is %SystemRoot%\MEMORY.DMP

Examining a crash dump basically involves the following:

1.       Download and install the Windows debugging tools from here.

2.       Open WinDbg from the Start Menu > Programs > Windows Debugging Tools

3.       Go to File > Open Crash Dump and locate the relevant Crash Dump File

4.       Enter !analyze -v

For full instructions on how to examine a crash dump file refer to the following Microsoft Technet article: http://blogs.technet.com/b/deploymentguys/archive/2008/08/01/working-with-crashdumps-debugger-101.aspx. You may, for instance, need to specify a Symbol File Path as described in this article.

If the BSOD error you experience is related to NOD32 Anti-virus you will see a debugging output similar  to the following after running the !analyze –v command.

Debugging Details:

——————

PROCESS_NAME:  ekrn.exe

BUGCHECK_STR:  RAISED_IRQL_FAULT

FAULTING_IP: +3266623163373862 00000000`7518385e ??              ???

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT_SERVER_MINIDUMP

CURRENT_IRQL:  1

LAST_CONTROL_TRANSFER:  from fffff80001a5e26e to fffff80001a5e4d0

STACK_TEXT:

fffffa60`066c1a68 fffff800`01a5e26e : 00000000`0000004a 00000000`7518385e 00000000`00000001 00000000`00000000 : nt!KeBugCheckEx

fffffa60`066c1a70 fffff800`01a5e184 : 00000000`00000000 fffffa60`066c1ca0 00000000`04ecf120 00000000`011da474 : nt!KiBugCheckDispatch+0x6e

fffffa60`066c1bb0 00000000`7518385e : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceExit+0x209

00000000`04ecf0a8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x7518385e

STACK_COMMAND:  kb

FOLLOWUP_IP:

nt!KiSystemServiceExit+209

fffff800`01a5e184 4883ec50        sub     rsp,50h

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  nt!KiSystemServiceExit+209

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4c0e5ae3

FAILURE_BUCKET_ID:  X64_RAISED_IRQL_FAULT_ekrn.exe_nt!KiSystemServiceExit+209

BUCKET_ID:  X64_RAISED_IRQL_FAULT_ekrn.exe_nt!KiSystemServiceExit+209

——————————————————————

If the following are listed along with the ntkrnlmp.exe process, the crash was most likely caused by the observed incompatibility with NOD (ekrn.exe is related to NOD32).

FAILURE_BUCKET_ID:  X64_RAISED_IRQL_FAULT_ekrn.exe_nt!KiSystemServiceExit+209 and
BUCKET_ID:  X64_RAISED_IRQL_FAULT_ekrn.exe_nt!KiSystemServiceExit+209

As mentioned, this crash may occur during the backup so it’s easy to label BackupAssist as the culprit. We have attempted to try and stop the NOD32 services with a script, however even running as a domain administrator we receive ‘Access is denied’ errors. Upon researching this further, stopping the service seems to be quite a common issue experienced by NOD32 users.

Note: Our reseller has confirmed that fully uninstalling NOD32 on his system that the BSOD errors relating to this have ceased.

We do apologize for any inconvenience to those users which are experiencing BSOD issues. If you’re wanting  confirmation of what may be causing your system to blue screen, please forward the crash dump file through to support@backupassist.com and we’ll take a look at this for you to let you know if it’s a specific BackupAssist issue or not.

Thanks,
BackupAssist Support

3 thoughts on “Blue Screen of Death issues when running NOD32 Anti-Virus”

  1. Hi Chris,

    While we agree that this is an issue, unfortunately the root cause of this is from an external process to BackupAssist, which we don’t have any say in.

    The aim of the blog was to let people know about the issue and the workarounds as far as our scope allows us to dictate. To get an ultimate resolution, there will need to be changes to the ekrn.exe process which BackupAssist doesn’t have any control over (unless we script within BackupAssist to stop the NOD32 services whenever a backup runs – which is a security risk and not a resolution at all).

    Thanks,

    Stuart
    BackupAssist Support

    Reply
  2. Hi Chris,

    I have been in touch with ESET on 28th April via their forum regarding the BSOD issue you were experiencing.
    On April 29th, Marcos (ESET Moderator) replied and asked that the latest version (4.2.71) of NOD32 be installed on the system. If this is installed and you’re still receiving the BSOD, then you’ll need to generate a full crash dump from the system.
    Once a crash dump is available, Marcos indicated that he could provide further assistance if you submit this to them directly.

    The details for retrieving the crash dump this are included in this blog post.

    You can also find the forum thread I mentioned at http://www.wilderssecurity.com/showthread.php?p=1865103#post1865103.

    If you have any further questions, please direct them to support@backupassist.com so that we can answer them for you.

    Thanks,
    Stuart

    Reply
  3. Hi everyone,

    We have been able to implement a patch which ESET has passed onto us. Since we implemented this over 2 weeks ago, the system has no longer experienced a BSOD.
    We have deemed this to be sufficient evidence that the issue can now be resolved easily.

    To test this patch out, please direct your interest to ESET directly or add your details on the thread at http://www.wilderssecurity.com/showthread.php?p=1865103#post1865103 so that an ESET representative can contact you directly.

    Thanks,
    Stuart
    The BackupAssist Team

    Reply

Leave a Comment

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email. Join 1,874 other subscribers