Stop 0x8E errors after updating Symantec Antivirus 10

We are seeing cases with a Stop 0x8E errors after an update to Symantec Antivirus 10.

 

Prior to setting the trap frame the stack will normally look like

 

STACK_TEXT:

f642633c 8085b4af 0000008e c0000005 f5148223 nt!KeBugCheckEx+0x1b f6426700 808357a4 f642671c 00000000 f6426770 nt!KiDispatchException+0x3a2

f6426768 80835758 f64267e4 f5148223 badb0d00 nt!CommonDispatchException+0x4a f6426780 8089c27a 863cf008 e53e74d0 e1fa5008 nt!KiExceptionExit+0x186

f64267e4 f6e7d4ff f6eaafb8 e5330428 e2c95755 nt!ExFreePoolWithTag+0x277

WARNING: Stack unwind information not available. Following frames may be wrong.

f6426814 f6e7ddb6 f6426840 f642683c f642684c savrt+0x234ff 00000000 00000000 00000000 00000000 00000000 savrt+0x23db6

 

After setting the trap frame, the stack and registers will normally look like

 

eax=75100824 ebx=e53e74d0 ecx=f50f7400 edx=e2c95755 esi=e5330428 edi=f642683c

eip=f5148223 esp=f64267e4 ebp=f64267e4 iopl=0 nv up ei pl nz na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206

navex15+0x51223:

f5148223 8138dedaaeab cmp dword ptr [eax],0ABAEDADEh ds:0023:75100824=????????

 

  *** Stack trace for last set context - .thread/.cxr resets it ChildEBP RetAddr Args to Child

WARNING: Stack unwind information not available. Following frames may be wrong.

f64267e4 f6e7d4ff f6eaafb8 e5330428 e2c95755 navex15+0x51223

f6426814 f6e7ddb6 f6426840 f642683c f642684c savrt+0x234ff 00000000 00000000 00000000 00000000 00000000 savrt+0x23db6

 

At this point, we believe the system is crashing due to a version mismatch between an updated version of Navex15 and older versions of Savrt and symevent.

 

    Image name: navex15.sys Timestamp: Mon Feb 11 13:41:31 2008 (47B0A4EB)

    Image name: SYMEVENT.SYS Timestamp: Tue Apr 18 19:16:26 2006 (4445815A)

    Image name: savrt.sys Timestamp: Mon Dec 19 22:24:48 2005 (43A78790)

 

The versions listed for Symevent and Savrt may be different than the ones listed, but so far they have all been at least a year older than Navex15.sys.

 

Customers should contact Symantec for support. As a workaround we can try the following

 

Have the customer uninstall Symantec Antivirus 10 and then reinstall the updated version.

This should hopefully put the correct version of files in place.