Antimalware software that does real-time scanning needs to perform file I/O interception. ENSLTP uses system call patching to achieve this interception. That means it changes the memory reference of the system calls (open and close) in the system call table. These memory addresses are valid until the point the kernel module is loaded.
 

While stopping antimalware services (for a shutdown), the memory references are reverted to the original value. Further calls to open and close system calls by an application get the original address. At this point, the new patched memory addresses are still valid. After the kernel module is unloaded, any further reference by applications to these patched memory addresses result in a kernel panic.
 

One way of reducing the chance of the kernel panic during shutdown is to delay the module unloading after the memory addresses are unpatched. Then, any older references to the patched memory addresses are still processed. The ENSLTP kernel module already has a considerable wait between memory address unpatching and unload of the modules.
 

When using the Interstage Application Server, the application is holding the reference to the new patched addresses for a longer period, even after the ENSLTP kernel module is unloaded, which results in a kernel panic. In summary, whether a kernel panic occurs depends on what point the application references patched memory addresses. There is no way to find out in the kernel whether any application is holding an old memory reference, and so no way to determine with certainty how long to wait.