Loading...

Knowledge Center


System crash (blue screen) error with Bug Check 19 "BAD_POOL_HEADER" occurs with Endpoint Security and Host Intrusion Prevention
Technical Articles ID:   KB91624
Last Modified:  8/13/2019
Rated:


Environment

McAfee Endpoint Security (ENS) Threat Prevention 10.6.1 July Update, 10.6.1 May Update, 10.5.5 July Update, 10.5.5 May Update
McAfee Host Intrusion Prevention (Host IPS) 8.0 Patch 13

Problem

A system crash (blue screen) error with Bug Check 19 "BAD_POOL_HEADER" might occur sporadically. It can occur in the following scenarios:
  • ENS Threat Prevention 10.5.5/10.6.1 May/July Update is present and AMCore content is installed.
  • ENS Threat Prevention 10.5.5/10.6.1 May/July Update is present with Exploit Prevention enabled and there is a mapped network drive that points to a non-drive letter.
  • Host IPS 8.0 Patch 13 is present with Exploit Prevention enabled and there is a mapped network drive that points to a non-drive letter.
To avoid any disruption in production environments, McAfee has decided to remove the Host IPS 8.0 Patch 13 package from the Product Downloads site. All customers who have downloaded this patch are requested to delete it and not deploy it in their production environment.

Cause

Possible causes of the blue screen error are:
  • There is an issue with AMCore that can trigger this issue.
  • There is an issue with Exploit Prevention that can trigger this issue. Exploit Prevention inspects file access to the remote location. While it compares remote data with local cached data, a buffer is exceeded. As a result, a blue screen error occurs when the buffer is freed. It is not possible to predict when the failure might occur because of several factors that must all align. But, the likelihood of the failure for environments that meet the requirements can be high depending on use of the network path.

Solution

This issue is resolved in the following releases:
  • ENS:
    • Threat Prevention (AMCore) related issue: This issue is resolved in ENS 10.5.5/10.6.1 July Update Repost.
      McAfee product software, upgrades, maintenance releases, and documentation are available from the Product Downloads site at: http://www.mcafee.com/us/downloads/downloads.aspx.

      NOTE: You need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, and alternate locations for some products.
    • Exploit Prevention related issue: This issue is resolved in the ENS 10.5.5/10.6.1 July Update Repost Full Installer releases.
      McAfee product software, upgrades, maintenance releases, and documentation are available from the Product Downloads site at: http://www.mcafee.com/us/downloads/downloads.aspx.

      NOTE: You need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, and alternate locations for some products.
  • Host IPS: This issue will be resolved in the re-release of Host IPS 8.0 Patch 13. For more information about this release, see KB91587. This article will be updated when this release is available.
    To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

Workaround

There is no workaround available for the AMCore-related issue.

For the Exploit Prevention-related issue, the following workarounds exist to avoid the issue:
  • Remove the mapped drives that point to a non-drive letter, or reassign the mapped drives to a drive letter.
  • Take the following action for ENS or Host IPS:
    • ENS: Disable Exploit Prevention.
    • Host IPS: Disable IPS.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.