Solved

Anti-Virus Crashing Server

Posted on 2006-11-27
17
810 Views
Last Modified: 2008-03-06
Hi,

We have a few Windows 2003 Servers that have been crashing lately.  Here are a few error messages that I was able to capture:

http://static.flickr.com/102/307686879_4d73a68c3e.jpg?v=0

http://static.flickr.com/121/307686883_41af8d5619.jpg?v=0

http://static.flickr.com/120/307686885_1ce8f00d46.jpg?v=0

I believe that the problem could be the latest version of our Anti-Virus program.  We are currently the latest Authentium Command Anti Virus version 4.93.8.  We never had any servers crashing before, until this newest install.  The problem is, that it happens randomly, so I cannot pin point when it is going to crash.  Also, it seems to only happen to a few of the 6 servers that have the new update.  I un-installed the Anti-Virus on one of the servers that was having problems, and it stopped crashing.

I want to contact Authentium, but I need proof that it is their program that is causing the problems.  Is there some sort of log that I can look at that will show exactly what driver is giving me the problem?  I checked the Event Viewer, and was not able to find such information.

Please help....thanks!
0
Comment
Question by:rgutwein
  • 5
  • 4
  • 2
  • +5
17 Comments
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Do you have DFS and DFS replication setup on these servers?  Roaming profiles?
try excluding TEMP from the anti-virus scan on one system that keeps crashing.
0
 
LVL 5

Author Comment

by:rgutwein
Comment Utility
Hi, Thanks for the quick response....what is DFS?
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Distributed File System (for shares and data replication).  Are you using roaming profiles?
http://www.microsoft.com/windowsserver2003/technologies/storage/dfs/default.mspx
0
 
LVL 5

Author Comment

by:rgutwein
Comment Utility
Hi Arnold,

Thanks for the response...we are not using Roaming profiles.
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
Hi rgutwein,
Have you checked your "Event Viewer" logs (Application or System) for any Warning or Error messages at the time the servers are crashing?

Vic
0
 
LVL 5

Author Comment

by:rgutwein
Comment Utility
Hi younghv,

I checked the event viewer, and it looks normal, except for the error message i posted above.  Thanks for the response!
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
I don't have access to those websites from work, but will check them later.
0
 
LVL 20

Expert Comment

by:jimmymcp02
Comment Utility
please see the following article it looks like the issue that you are describing

http://support.microsoft.com/kb/892260/en-us
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 5

Expert Comment

by:megs28
Comment Utility
Also remember to exclude the sysvol and netlogons folders from being scanned by your AV client.
0
 
LVL 10

Expert Comment

by:Phadke_hemant
Comment Utility
or may be temporarily remove the antivirus and then check
0
 
LVL 5

Expert Comment

by:sunilswain
Comment Utility
Hi,

     Please check the EventViewer for any errors and provide a snapshot here. Those errors will surely point towards the error.
0
 
LVL 20

Expert Comment

by:cpc2004
Comment Utility
Hi,

Dump analysis is the formal way to find the culprit. Attach the minidump at any webspace and post the url link here. You can find the minidump at the folder \winnt\minidumps

If you don't have webspace, use free public webspace.

Get public webspace
Use a free service like rapidshare to attach the minidumps and post the url of the mimidumps at this thread.
http://www.rapidshare.de/

cpc2004
0
 
LVL 5

Author Comment

by:rgutwein
Comment Utility
Thanks for the response.

I have uploaded all the Minidump files from the two servers that are giving me trouble.  It can be found here:

http://www.box.net/public/btygimej9p


Thanks!


Randy
0
 
LVL 20

Accepted Solution

by:
cpc2004 earned 500 total points
Comment Utility
Hi,

The crashes are casued by css_dvp.exe. It is reported it is an unstable device driver. Refer Microsoft webpage
http://support.microsoft.com/kb/883775

Debug report of Server 1
Mini110306-01.dmp BugCheck C5, {4, 2, 1, 8089bac3}
Owning Process            88a70020       Image:         userinit.exe
Probably caused by : css-dvp.sys ( css_dvp+13969 )

Mini110606-01.dmp BugCheck C2, {47, 88dd6000, 8dd6, 7ffef}
Owning Process            88849020       Image:         userinit.exe
Probably caused by : css-dvp.sys ( css_dvp+139f6 )

Mini110806-01.dmp BugCheck C2, {47, 89454000, 9454, 7ffef}
Owning Process            89747c58       Image:         java.exe
Probably caused by : css-dvp.sys ( css_dvp+139f6 )

Debug report of Server2
Mini101406-01.dmp BugCheck C2, {47, 88157000, 8157, 7ffef}
Owning Process            885a85d8       Image:         userinit.exe
Probably caused by : css-dvp.sys ( css_dvp+139f6 )

Mini101906-01.dmp BugCheck D1, {3f3f0100, 2, 0, bac4c0d9}
Owning Process            892e5ba8       Image:         svchost.exe
Probably caused by : TDI.SYS ( TDI!CTEpTimerHandler+f )

Mini112006-01.dmp BugCheck C5, {4, 2, 1, 8089bac3}
Owning Process            89310500       Image:         svchost.exe
Probably caused by : css-dvp.sys ( css_dvp+109c7 )

Mini112206-01.dmp BugCheck 19, {20, 88d0d4e0, 88d0d6f8, a43009c}
Owning Process            893b39d0       Image:         svchost.exe
Probably caused by : css-dvp.sys ( css_dvp+10b63 )

cpc2004
0
 
LVL 20

Expert Comment

by:cpc2004
Comment Utility
Hi,

Refer the debug report of Mini110306-01.dmp.txt, the stack trace has the footprint of css_dvp.  Obviously it is the software error of the anti-virus software.

BugCheck C5, {4, 2, 1, 8089bac3}

Unable to load image \SystemRoot\system32\DRIVERS\css-dvp.sys, Win32 error 2
*** WARNING: Unable to verify timestamp for css-dvp.sys
*** ERROR: Module load completed but symbols could not be loaded for css-dvp.sys
Probably caused by : css-dvp.sys ( css_dvp+13969 )
DRIVER_CORRUPTED_EXPOOL (c5)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is
caused by drivers that have corrupted the system pool.  Run the driver
verifier against any new (or suspect) drivers, and if that doesn't turn up
the culprit, then use gflags to enable special pool.
Arguments:
Arg1: 00000004, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 8089bac3, address which referenced memory

Debugging Details:
------------------
BUGCHECK_STR:  0xC5_2
CURRENT_IRQL:  2

FAULTING_IP:
nt!ExAllocatePoolWithTag+83f
8089bac3 897004          mov     dword ptr [eax+4],esi

CUSTOMER_CRASH_COUNT:  1
DEFAULT_BUCKET_ID:  DRIVER_FAULT_SERVER_MINIDUMP
PROCESS_NAME:  userinit.exe

TRAP_FRAME:  ba5ca5a0 -- (.trap ffffffffba5ca5a0)
.trap ffffffffba5ca5a0
ErrCode = 00000002
eax=00000000 ebx=808b75c0 ecx=808b9140 edx=00000004 esi=808b7618 edi=88970e70
eip=8089bac3 esp=ba5ca614 ebp=ba5ca650 iopl=0         nv up ei pl nz ac po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010212
nt!ExAllocatePoolWithTag+0x83f:
8089bac3 897004          mov     dword ptr [eax+4],esi ds:0023:00000004=????????
.trap
Resetting default scope

LAST_CONTROL_TRANSFER:  from 8089bac3 to 80837ed5

STACK_TEXT:  
ba5ca5a0 8089bac3 badb0d00 00000004 f7727568 nt!KiTrap0E+0x2a7
ba5ca650 b9694969 00000000 00000000 206b6444 nt!ExAllocatePoolWithTag+0x83f
WARNING: Stack unwind information not available. Following frames may be wrong.
ba5ca68c b9697e23 00000012 b96bfc4a 00000012 css_dvp+0x13969
ba5ca76c 8089c622 888f3838 00000000 ba5ca7ac css_dvp+0x16e23
ba5ca77c b96949f6 888f3838 0000013c 00000000 nt!ExFreePool+0xf
ba5ca7ac b9728e78 b9728eb8 89350b26 89de6079 css_dvp+0x139f6
ba5ca7b0 b9728eb8 89350b26 89de6079 00000000 css_dvp+0xa7e78
ba5ca7b4 89350b26 89de6079 00000000 0000003e css_dvp+0xa7eb8
ba5ca7b8 89de6079 00000000 0000003e 888f3842 0x89350b26
ba5ca7bc 00000000 0000003e 888f3842 000000ed 0x89de6079

STACK_COMMAND:  kb

FOLLOWUP_IP:
css_dvp+13969
b9694969 ??              ???

SYMBOL_STACK_INDEX:  2
FOLLOWUP_NAME:  MachineOwner
MODULE_NAME: css_dvp
IMAGE_NAME:  css-dvp.sys
DEBUG_FLR_IMAGE_TIMESTAMP:  4484781c
SYMBOL_NAME:  css_dvp+13969
FAILURE_BUCKET_ID:  0xC5_2_css_dvp+13969
BUCKET_ID:  0xC5_2_css_dvp+13969
0
 
LVL 5

Author Comment

by:rgutwein
Comment Utility
Thank you so much!  What software did you use to debug those Mini-dump files?  Also, how would I go about resolving this issue?

Thanks again!
0
 
LVL 20

Expert Comment

by:cpc2004
Comment Utility
Hi,

I use microsoft windbg to format the minidump

Refer the following webpage for basic minidump analysis.
http://www.jsifaq.com/SF/Tips/Tip.aspx?id=4981

However the minidump is easy to format  but it is difficult to interpret the debug report.

cpc2004
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Occasionally Windows/Microsoft Updates will fail to update. We have found a code that will delete all temporary files and re-register all dll's related to Windows/Microsoft Updates! This works 99% of the time to get the updates working again! The…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now