Solved

BSOD issues caused by Webroot

  • 21 July 2022
  • 1 reply
  • 925 views

CZUR Scanner, the client software of Windows platform developed by our company, has a blue screen of death when running on the user's computer installed webroot SecureAnywhere, and the user sent the system dmp file. After my analysis with Windbg tool, I found that the crash was caused by an internal exception of Webroot.
Please help me to analyze whether there are irregularities in our client software that will cause webroot to run abnormally?

~Removed Link to software and SN please contact Webroot support and give it to them!~

 


4: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure.  The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000000, A stack-based buffer has been overrun.
Arg2: ffff9485cfa36510, Address of the trap frame for the exception that caused the BugCheck
Arg3: ffff9485cfa36468, Address of the exception record for the exception that caused the BugCheck
Arg4: 0000000000000000, Reserved

Debugging Details:
------------------


KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 4109

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 32216

    Key  : Analysis.Init.CPU.mSec
    Value: 1140

    Key  : Analysis.Init.Elapsed.mSec
    Value: 856377

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 88

    Key  : Bugcheck.Code.DumpHeader
    Value: 0x139

    Key  : Bugcheck.Code.KiBugCheckData
    Value: 0x139

    Key  : Bugcheck.Code.Register
    Value: 0x139

    Key  : FailFast.Name
    Value: STACK_BUFFER_OVERRUN

    Key  : FailFast.Type
    Value: 0

    Key  : WER.OS.Branch
    Value: vb_release

    Key  : WER.OS.Timestamp
    Value: 2019-12-06T14:06:00Z

    Key  : WER.OS.Version
    Value: 10.0.19041.1


FILE_IN_CAB:  MEMORY.DMP

BUGCHECK_CODE:  139

BUGCHECK_P1: 0

BUGCHECK_P2: ffff9485cfa36510

BUGCHECK_P3: ffff9485cfa36468

BUGCHECK_P4: 0

TRAP_FRAME:  ffff9485cfa36510 -- (.trap 0xffff9485cfa36510)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff8075c0621d0 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8075c0621d2 rsp=ffff9485cfa366a8 rbp=ffff9485cfa36749
 r8=ffff9485cfa36770  r9=0000000000000002 r10=0000000000000002
r11=ffffae0c8b65c5b6 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
WRCore_x64+0x21d2:
fffff807`5c0621d2 cd29            int     29h
Resetting default scope

EXCEPTION_RECORD:  ffff9485cfa36468 -- (.exr 0xffff9485cfa36468)
ExceptionAddress: fffff8075c0621d2 (WRCore_x64+0x00000000000021d2)
   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 0000000000000000
Subcode: 0 FAST_FAIL_LEGACY_GS_VIOLATION 

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

PROCESS_NAME:  CZUR Scanner.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - <Unable to get error code text>

EXCEPTION_CODE_STR:  c0000409

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_STR:  0xc0000409

STACK_TEXT:  
ffff9485`cfa361e8 fffff807`43a0a569     : 00000000`00000139 00000000`00000000 ffff9485`cfa36510 ffff9485`cfa36468 : nt!KeBugCheckEx
ffff9485`cfa361f0 fffff807`43a0a990     : 00000000`00000001 ffffd083`a039f690 ffffd083`a039f690 fffff807`4388b19d : nt!KiBugCheckDispatch+0x69
ffff9485`cfa36330 fffff807`43a08d23     : ffffd083`75fa1dd0 fffff807`482aaa0d ffff9485`cfa36500 ffffae0c`00000000 : nt!KiFastFailDispatch+0xd0
ffff9485`cfa36510 fffff807`5c0621d2     : fffff807`5c07f599 00000003`00000001 00000000`00000002 ffffae0c`8b65b5d0 : nt!KiRaiseSecurityCheckFailure+0x323
ffff9485`cfa366a8 fffff807`5c07f599     : 00000003`00000001 00000000`00000002 ffffae0c`8b65b5d0 00000000`00000fea : WRCore_x64+0x21d2
ffff9485`cfa366b0 fffff807`5c07f258     : ffff9485`00000e02 ffff9485`cfa36ba0 00000000`00000000 ffffd083`a039f690 : WRCore_x64+0x1f599
ffff9485`cfa366f0 fffff807`5c080df0     : ffff9485`cfa36cc0 00000000`00000000 ffff9485`cfa36ba0 ffffd083`a039f690 : WRCore_x64+0x1f258
ffff9485`cfa367b0 fffff807`5c081bf4     : 00000000`000045aa ffff9485`cfa36bf0 ffffd083`a039f690 00000000`00000000 : WRCore_x64+0x20df0
ffff9485`cfa36af0 fffff807`5c066cfb     : ffffae0c`9f886d40 ffffd083`75d47050 00000000`00000000 ffffd083`9d4186f0 : WRCore_x64+0x21bf4
ffff9485`cfa36c40 fffff807`5c06684b     : ffffd083`75d47001 ffffd083`a039f601 00000000`00000000 ffffae0c`9f886d40 : WRCore_x64+0x6cfb
ffff9485`cfa36cb0 fffff807`5c06bb05     : ffffae0c`9f886d40 ffff9485`cfa36db0 ffffd083`a039f690 ffffd083`9b7828a0 : WRCore_x64+0x684b
ffff9485`cfa36d00 fffff807`5c0688bb     : ffff9485`cfa37050 ffff9485`cfa36e50 ffff9485`cfa37078 ffff9485`cfa36e50 : WRCore_x64+0xbb05
ffff9485`cfa36d50 fffff807`5c0671f8     : ffffd083`99ddfb08 ffff9485`cfa37078 ffff9485`cfa37050 ffff9485`cfa37000 : WRCore_x64+0x88bb
ffff9485`cfa36fb0 fffff807`4124648c     : ffffd083`99ddfa20 ffff9485`cfa37099 ffffd083`99ddfb08 ffffd083`75d47310 : WRCore_x64+0x71f8
ffff9485`cfa36fe0 fffff807`41242804     : 00000000`00000000 00000000`000000ff ffff9485`cfa37200 ffff9485`00000000 : FLTMGR!FltpPerformPreCallbacksWorker+0x36c
ffff9485`cfa37100 fffff807`438c0ea7     : ffff9485`cfa38000 ffffd083`a2d82a20 ffff9485`cfa31000 fffff807`43825f97 : FLTMGR!FltpPreFsFilterOperation+0x184
ffff9485`cfa371b0 fffff807`43c63f71     : fffff807`41248e70 00000000`00000001 ffffd083`a039f690 fffff807`41242680 : nt!FsFilterPerformCallbacks+0xe7
ffff9485`cfa37220 fffff807`43c63bdf     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!FsRtlAcquireFileExclusiveCommon+0x121
ffff9485`cfa37510 fffff807`43c64433     : 00000000`00000000 00000000`00000002 00000000`00000001 ffff9485`cfa378c8 : nt!FsRtlAcquireToCreateMappedSection+0x5b
ffff9485`cfa37590 fffff807`43c64dad     : ffffd083`00000000 ffffd083`00000000 ffffd083`a039f690 ffffd083`a2d08080 : nt!MiCallCreateSectionFilters+0x37
ffff9485`cfa375d0 fffff807`43c64594     : 00000000`00000000 00000000`00000000 ffffd083`a039f690 00000000`00000000 : nt!MiCreateImageOrDataSection+0x13d
ffff9485`cfa376c0 fffff807`43c642d7     : 00000000`01000000 ffff9485`cfa37a80 00000000`00000001 00000000`00000010 : nt!MiCreateSection+0xf4
ffff9485`cfa37840 fffff807`43c6405c     : 00000000`0144e8d8 00000000`0000000d 00000000`00000000 00000000`00000001 : nt!MiCreateSectionCommon+0x207
ffff9485`cfa37920 fffff807`43a09fb5     : 00000000`00000000 00000000`00000001 00000000`0177f3ac ffff9485`cfa37a80 : nt!NtCreateSection+0x5c
ffff9485`cfa37990 00007ffc`36f4d884     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25
00000000`0144e838 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffc`36f4d884


SYMBOL_NAME:  WRCore_x64+21d2

MODULE_NAME: WRCore_x64

IMAGE_NAME:  WRCore.x64.sys

IMAGE_VERSION:  1.4.0.54

STACK_COMMAND:  .cxr; .ecxr ; kb

BUCKET_ID_FUNC_OFFSET:  21d2

FAILURE_BUCKET_ID:  0x139_MISSING_GSFRAME_WRCore_x64!unknown_function

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {edcaf37f-67f2-19da-6af1-bb572a732c02}

Followup:     MachineOwner

icon

Best answer by TripleHelix 21 July 2022, 16:52

View original

1 reply

Userlevel 7
Badge +63

Hello @dingzhi 

 

It’s best to Contact Webroot support Directly for issues like this as it has to do with the Core files.

 

Webroot Support:

Submit a ticket is the best way!

Call 1-866-612-4227 Mon - Fri 7 AM to 5:30 PM (MDT)

 

Note: When submitting a Support Ticket, Please wait for a response from Support. Putting in another Support Ticket on this problem before Support responses will put your first Support Ticket at the end of the queue.

 

Or if you have!

 

Webroot Subscription Software from Best Buy:

BestBuy-GeekSquad logo

Chat with a Geek Squad Agent

Call 1-888-BEST-BUY or (1-888-237-8289)

 

Thanks,

Reply