Loading...

Knowledge Center


System crash (blue screen) with BugCheck D1 "DRIVER_IRQL_NOT_LESS_OR_EQUAL" occurs with Endpoint Security, McAfee Agent, or VirusScan Enterprise
Technical Articles ID:   KB87810
Last Modified:  7/19/2018

Environment

McAfee Agent 5.0.4.283, 5.0.3, 5.0.2.333
McAfee Endpoint Security (ENS) Firewall 10.2.0, 10.1.1, 10.1.0
McAfee ENS Threat Prevention 10.2.0, 10.1.1, 10.1.0
McAfee ENS Web Control 10.2.0, 10.1.1, 10.1.0
McAfee VirusScan Enterprise (VSE) 8.8.0 Patch 8, 8.8.0 Patch 7

Problem

In very rare circumstances a system may experience a system crash (blue screen) with a D1 BugCheck (DRIVER_IRQL_NOT_LESS_OR_EQUAL) involving the filter driver mfehidk.sys.

A .dmp file may show the following characteristics:
 
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000000000000018, memory referenced
Arg2: 0000000000000002, IRQL

Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff8003d14962b, address which referenced memory

STACK_TEXT:  
ffffd000`21fa8248 fffff800`14fd2ee9 : 00000000`0000000a 00000000`00000018 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
ffffd000`21fa8250 fffff800`14fd173a : 00000000`00000000 ffffe801`f05f4120 ffffe801`e9ba7100 00000000`00000000 : nt!KiBugCheckDispatch+0x69
ffffd000`21fa8390 fffff800`3d14962b : ffffe801`f05f4120 ffffd000`21fa86e8 ffffd000`21fa86d0 00000000`00000001 : nt!KiPageFault+0x23a
ffffd000`21fa8520 fffff800`3d117e0e : ffffe802`00000000 ffffe000`0e23c760 fffff800`3d190402 ffffe000`0e23c760 : mfehidk!ServiceRegistryAnchor::ProviderContext::DetachFilter+0x10b
ffffd000`21fa85a0 fffff800`3d11b943 : ffffe802`24690000 ffffd000`21fa86e8 ffffe801`ee019880 00000000`00000000 : mfehidk!FILEHOOKCONTROL::~FILEHOOKCONTROL+0x7e
ffffd000`21fa85d0 fffff800`3d153eaf : ffffe000`1a707b90 ffffe000`0e23c760 ffffd000`21fa86d0 ffffd000`21fa86e8 : mfehidk!FILEHOOKCONTROL::Release+0x33
ffffd000`21fa8600 fffff800`3d15a394 : ffffe000`1a707b90 ffffe801`f0e1add0 ffffe801`ee019880 ffffe000`00000000 : mfehidk!VHMINI_FILEIO::~VHMINI_FILEIO+0x4f
ffffd000`21fa8630 fffff800`3b44203f : ffffe000`0a2badb0 ffffd000`21fa8719 ffffe801`ee019bc0 ffffe801`ed565c58 : mfehidk!VOLHOOKMINI::ProcessClosePre+0xb4
ffffd000`21fa8670 fffff800`3b4435ac : ffffd000`21fa8880 00000000`00000000 ffffe801`e9aafd00 00000000`00000002 : fltmgr!FltpPerformPreCallbacks+0x29f
ffffd000`21fa8780 fffff800`3b4415ce : ffffe000`0e23c6e0 ffffd000`21fa8800 ffffe000`07624fb0 ffffd000`21fa8820 : fltmgr!FltpPassThroughInternal+0x8c
ffffd000`21fa87b0 fffff800`3b4410aa : ffffe801`e9aafdf0 ffffe000`07624c10 ffffe000`07624c10 fffff800`15015164 : fltmgr!FltpPassThrough+0x2be
ffffd000`21fa8860 fffff800`1523bb0c : ffffe000`0a2badb0 ffffe801`e9b5d030 ffffe000`07624c10 00000000`00000001 : fltmgr!FltpDispatch+0x9a
ffffd000`21fa88c0 fffff800`15277e0c : 00000000`00000000 ffffe000`0a2badb0 ffffe000`03970c60 ffffe000`0a2bad80 : nt!IopDeleteFile+0x128
ffffd000`21fa8940 fffff800`14ee683f : 00000000`00000000 ffffd000`21fa8a99 ffffe000`0a2badb0 ffffe000`0a2bad80 : nt!ObpRemoveObjectRoutine+0x64
ffffd000`21fa89a0 fffff800`1522ea45 : ffffe000`03970c60 00000000`00000000 ffffd000`21fa8a99 00000000`00000000 : nt!ObfDereferenceObjectWithTag+0x8f
ffffd000`21fa89e0 fffff800`14fd2bb3 : ffffe000`0db67080 00000000`00000000 00000000`70cad680 0000000b`ad04a288 : nt!NtClose+0x205
ffffd000`21fa8b00 00007ffb`239c07aa : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`70cacea8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffb`239c07aa

Cause

A reference count mechanism was not decrementing appropriately and led to memory address wrapping and accessing invalid memory.

Solution

This issue is resolved in ENS 10.1.2.
McAfee product software, upgrades, maintenance releases, and documentation are available from the Product Downloads site at: http://www.mcafee.com/us/downloads/downloads.aspx.

NOTE: You need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, and alternate locations for some products.


This issue is resolved in Endpoint Security 10.2.1, which is available from the Product Downloads site at: http://mcafee.com/us/downloads/downloads.aspx.

NOTE: You need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, and alternate locations for some products.

Updates are cumulative; Technical Support recommends that you install the latest one.

Solution

This issue is resolved in VirusScan Enterprise 8.8.0 Update 9, which is available from the Product Downloads site at: http://mcafee.com/us/downloads/downloads.aspx.

NOTE: You need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, and alternate locations for some products.

Updates are cumulative; Technical Support recommends that you install the latest one.

Solution

This issue will be resolved in a future release of McAfee Agent.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Languages:

This article is available in the following languages:

English United States
Japanese

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.