Random system restarts with Bug Check 3B referencing the mfehidk.sys driver
Last Modified: 2022-11-01 15:29:56 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Random system restarts with Bug Check 3B referencing the mfehidk.sys driver
Technical Articles ID:
KB90836
Last Modified: 2022-11-01 15:29:56 Etc/GMT Environment
Endpoint Security (ENS) 10.6.0 Microsoft Windows Server 2012 R2 Problem
Occasional random system restarts occur with Bug Check 3B referencing the An exception happened while executing a system service routine. Arguments: Arg1: 00000000c0000005, Exception code that caused the bugcheck Arg2: fffff801fcfa3e28, Address of the instruction which caused the bugcheck Arg3: ffffd00023df83a0, Address of the context record for the exception that caused the bugcheck Arg4: 0000000000000000, zero. Debugging Details: ------------------ DUMP_CLASS: 1 DUMP_QUALIFIER: 401 BUILD_VERSION_STRING: 9600.18589.amd64fre.winblue_ltsb.170204-0600 SYSTEM_MANUFACTURER: VMware, Inc. VIRTUAL_MACHINE: VMware SYSTEM_PRODUCT_NAME: VMware Virtual Platform SYSTEM_VERSION: None BIOS_VENDOR: Phoenix Technologies LTD BIOS_VERSION: 6.00 BIOS_DATE: 09/21/2015 BASEBOARD_MANUFACTURER: Intel Corporation BASEBOARD_PRODUCT: 440BX Desktop Reference Platform BASEBOARD_VERSION: None DUMP_TYPE: 1 BUGCHECK_P1: c0000005 BUGCHECK_P2: fffff801fcfa3e28 BUGCHECK_P3: ffffd00023df83a0 BUGCHECK_P4: 0 EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. FAULTING_IP: fltmgr!FltpGetNextCallbackNodeForInstance+78 fffff801`fcfa3e28 8b4728 mov eax,dword ptr [rdi+28h] CONTEXT: ffffd00023df83a0 -- (.cxr 0xffffd00023df83a0) rax=ffffe000ee0a2c80 rbx=ffffe000f61c48e8 rcx=0000000000000011 rdx=0000000000000001 rsi=0000000000000000 rdi=0000000000000000 rip=fffff801fcfa3e28 rsp=ffffd00023df8dd0 rbp=ffffd00023df8e00 r8=0000000000000000 r9=0000000063664d46 r10=fffff801fcfc16c0 r11=ffffc001ca551a60 r12=ffffe000f61c4880 r13=0000000000000016 r14=ffffe000ee0a2c80 r15=ffffe000f61c47f0 iopl=0 nv up ei pl nz ac po cy cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010217 fltmgr!FltpGetNextCallbackNodeForInstance+0x78: fffff801`fcfa3e28 8b4728 mov eax,dword ptr [rdi+28h] ds:002b:00000000`00000028=???????? Resetting default scope CPU_COUNT: 2 CPU_MHZ: 7ce CPU_VENDOR: GenuineIntel CPU_FAMILY: 6 CPU_MODEL: 4f CPU_STEPPING: 1 CPU_MICROCODE: 6,4f,1,0 (F,M,S,R) SIG: B00002A'00000000 (cache) B00002A'00000000 (init) DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT BUGCHECK_STR: 0x3B PROCESS_NAME: mcshield.exe CURRENT_IRQL: 0 ANALYSIS_SESSION_HOST: 5CG70874YK850 ANALYSIS_SESSION_TIME: 08-16-2018 15:02:15.0752 ANALYSIS_VERSION: 10.0.16299.91 amd64fre LAST_CONTROL_TRANSFER: from fffff801fcfca8fd to fffff801fcfa3e28 STACK_TEXT: ffffd000`23df8dd0 fffff801`fcfca8fd : ffffe000`f419c270 ffffd000`23df8e60 ffffe000`ee94aad0 ffffd000`23df8f40 : fltmgr!FltpGetNextCallbackNodeForInstance+0x78 ffffd000`23df8e20 fffff801`fcfcabe1 : ffffe000`ee94aad0 ffffd000`23df92b0 ffffe000`f419c200 00000001`00140011 : fltmgr!TargetedIOCtrlGenerateECP+0x165 ffffd000`23df8e90 fffff801`fcfcaec8 : 00000000`00000160 ffffd000`23df9138 ffffd000`23df9270 ffffd000`23df92b0 : fltmgr!FltpCreateFile+0xdd ffffd000`23df8f90 fffff801`fd134f4e : ffffe000`ee94aad0 00000000`00000160 ffffd000`23df9270 ffffd000`23df92b0 : fltmgr!FltCreateFileEx2+0xd0 ffffd000`23df90b0 fffff801`fd13757d : ffffc001`c7b06800 00000000`00000000 ffffd000`23df9368 ffffd000`23df9370 : mfehidk+0x78f4e ffffd000`23df91f0 fffff801`fd0eccfb : 00000000`00000000 ffffe000`f391b3d8 00000000`00000000 00000000`0000002a : mfehidk+0x7b57d ffffd000`23df92b0 fffff801`fd0ea824 : ffffe000`ee98c000 00000000`00000000 00000000`00000000 ffffe000`ee084380 : mfehidk+0x30cfb ffffd000`23df9460 fffff801`fe31c761 : ffffe000`f391b3d8 00000000`00000000 00000000`00000000 fffff801`00000800 : mfehidk+0x2e824 ffffd000`23df9530 fffff801`fe31c564 : ffffe000`f198fd60 ffffffff`ffffffff 00000000`00120181 ffffe000`f24e7c08 : mfencbdc+0x3c761 ffffd000`23df96a0 fffff801`fe2e6cd5 : 00000000`00000000 ffffe000`f198fd60 ffffe000`f391b3c0 00000000`c000a1c4 : mfencbdc+0x3c564 ffffd000`23df9710 fffff801`fe33b74a : 00000000`00000000 00000000`00000000 ffffe000`f4356680 00000000`00000000 : mfencbdc+0x6cd5 ffffd000`23df9790 fffff801`2c929b2b : 00000000`00000002 ffffd000`23df9891 ffffe000`f198fd60 ffffe000`f24e6900 : mfencbdc+0x5b74a ffffd000`23df9810 fffff801`2c92aa66 : ffffe000`f198fd05 ffffd000`23df9b80 ffffe000`f2ff6c00 ffffe000`f198fd60 : nt!IopSynchronousServiceTail+0x32b ffffd000`23df98e0 fffff801`2c8faac2 : ffffd000`23df9a38 00000000`00000964 00000000`00000000 000000c4`82ed8450 : nt!IopXxxControlFile+0xd86 ffffd000`23df9a20 fffff801`2c5e8ab3 : ffffe000`f41ae080 fffff801`001f0003 000000c4`82ed8398 000000c4`00000001 : nt!NtDeviceIoControlFile+0x56 ffffd000`23df9a90 00007ff9`22d1072a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 000000c4`82ed8348 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ff9`22d1072a THREAD_SHA1_HASH_MOD_FUNC: e55abea43685c9e4cac5cc937e620a54936d1fbc THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 6d7512cf71b14fb85b7391e6846f8b4077fe8f7b THREAD_SHA1_HASH_MOD: 13c7797a3cff740f8a291e133da14c64d3fd0e12 FOLLOWUP_IP: mfehidk+78f4e fffff801`fd134f4e 440fb68c24b8010000 movzx r9d,byte ptr [rsp+1B8h] FAULT_INSTR_CODE: 8cb60f44 SYMBOL_STACK_INDEX: 4 SYMBOL_NAME: mfehidk+78f4e FOLLOWUP_NAME: MachineOwner MODULE_NAME: mfehidk IMAGE_NAME: mfehidk.sys Solution
This issue is resolved in Endpoint Security 10.6.1, which is available from the Product Downloads site. NOTE: You need a valid Grant Number for access. For more information about the Product Downloads site, and alternate locations for some products, see KB56057 - How to download Enterprise product updates and documentation. Updates are cumulative; Technical Support recommends that you install the latest one. Affected ProductsLanguages:This article is available in the following languages: |
|