Symantec Weak IPS Definitions Fixes Windows BSOD

Windows BSOD

Symantec has remedied a problem causing the use of Blue Screens Of Death (BSOD) for customers running Windows 7 to Windows 10 application Endpoint Protection Server.

According to the users of Facebook, Reddit and Symantec’s help forums[1, 2], after implementing the October 14 Intrusion Prevention System (IPS) concepts, their Windows computers have been affected by BSODs.

Although Symantec has yet to officially inform about the Windows versions affected by this issue, customer reports have said that it affects at least Windows 7, Windows 8 and Windows 10[ 1, 2, 3] systems with tens, if not thousands, of BSOD machines.

Released New Signatures for Prevention of Intrusion

“The reason behind the BAD POOL CALLER (c2) or KERNEL MOD HEAP CORRUPTION (13A) exception is that Endpoint Protection Client receives a Blue Screen Of Death (BSOD) while running LiveUpdate,” Symantec admitted in an earlier sponsored post.

“The signature edition of Intrusion Prevention 2019/10/14 is r61 if BSOD happens,” the company also added.

Symantec later addressed this problem through the introduction of the 2019/10/14 r62 Intrusion prevention signature that is automatically enforced when users re run LiveUpdate.

Users who have not yet experienced BSODs are advised “return to a previously known good content revision to prevent BSOD,” according to the rollback procedure described in the step-by-step definition procedure.

Workingarounds for BSOD

Customers who can’t use new signatures when running Live Updates on their devices can use the following workaround:

  1. Boot in Safe Mode and perform the following for x64 or x86 installations of SEP,
  2. Run sc config idsvia64 start= disabled or sc config idsviax86 start=disabled from cmd,
  3. Reboot in normal mode,
  4. Update the IPSdefs,
  5. Run sc config idsvia64 start= system or sc config idsviax86 start=system from cmd
  6. Reboot.

If the new definitions are unable to catch without a BSOD, they can also upgrade or install it offline on the network-based protections (IPS).

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.