I have a Windows 2003 Server, running Kaspersky AV for Windows Server 6.0.3.837. This morning, shortly after KAV updated itself (around 8:21am - US Eastern), the server started getting random BSODs.

Every time I boot, it boots all the way - if I'm quick, I can log in. But within seconds or a minute, I get a random BSOD.

So far, I've seen:

Stop 8E
klif.sys

Page_fault_in_nonpaged_area
Stop 50
tcpip.sys

Page_fault_in_nonpaged_area
Stop 50

IRQL_not_less_or_equal
Stop 0A

Bugcode_NDIS_driver
Stop 7C


This occurs even in Safe Mode, and even if I boot up with the internet network cable disconnected. The server is maybe a month behind on Windows Updates.

The close proximity to the KAV update is what has me wondering if it could be the cause of this.

Does anyone else have any insight? I could sure use some right now.

I remembered something else...

I was working in KAV this morning while it was in the middle of updating. There were a handful of detected items - but they were just fraudulent emails from the mail server - just text files. I told KAV to neutralize all, but the items continued to persist. I did this a few times, but "Neutralize All" did nothing. I finally told KAV to delete them, and *that* worked.

I finished up, logged out, and shortly thereafter is when the machine had its first BSOD.

I don't know if this has anything to do with the strange symptom I saw, or the fact that I was trying to do it at the same time that the AutoUpdater was running - but I mention it in case it has any relevance.



Also, one of the future times the machine booted, it stayed up and running long enough for me to do a scan of Critical Areas, which came up clean.

Update:

While I get the BSOD when booting in "Safe Mode with Networking", I don't get it when booting in Safe Mode *without* networking.

To me, that makes it more likely that this is an external attack - although, I'm not sure how, if it happens when the internet cable is disconnected.

Ddi you try to open a SupportTicket?

Ddi you try to open a SupportTicket?

The problem is that I don't know for certain that it's Kaspersky. The coincidence is high, but it's still only coincidence.

And I'd feel better about blaming KAV, if it didn't happen during Safe Mode with Networking - but unless I'm mistaken, KAV shouldn't have any impact on a Safe Mode boot, should it?

As an update, I have what appears to be a working system.

I was able to finagle it to stay up while I successfully pulled off a Windows Update. I cleared the Temp directory somewhere along the way as well, and since then, I've been able to boot normally and have not experienced any BSODs as of yet. (Knock on a big a$$ Sequoia)


I have no idea if this is due to what I did, or some sort of coincidence, but you can all be thankful that it doesn't appear to be KAV.

Okay, *now* I'm starting to think that it might be KAV. I've continued to have issues, and I finally managed to analyze 10 crash dumps - and 7 out of 10 point to klif.sys.

Here is a subset of the minidumps:

-------------------------------------------------------------
Dump 01:


PAGE_FAULT_IN_NONPAGED_AREA (50)

DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP

BUGCHECK_STR: 0x50

PROCESS_NAME: dfssvc.exe

FOLLOWUP_IP:
klif+1e1ff
b9a6c1ff ?? ???

SYMBOL_NAME: klif+1e1ff

MODULE_NAME: klif

IMAGE_NAME: klif.sys

FAILURE_BUCKET_ID: 0x50_klif+1e1ff

BUCKET_ID: 0x50_klif+1e1ff

-------------------------------------------------------------
Dump 02:


KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)

FAULTING_IP:
klif+e6e6
b9a926e6 8b4e0c mov ecx,dword ptr [esi+0Ch]

DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
b971ebc8 b9a92761 00000042 00000548 b9aa1427 klif+0xe6e6
b971ebcc 00000000 00000548 b9aa1427 00000548 klif+0xe761

FOLLOWUP_IP:
klif+e6e6
b9a926e6 8b4e0c mov ecx,dword ptr [esi+0Ch]

SYMBOL_NAME: klif+e6e6

MODULE_NAME: klif

IMAGE_NAME: klif.sys

FAILURE_BUCKET_ID: 0x8E_klif+e6e6

BUCKET_ID: 0x8E_klif+e6e6

-------------------------------------------------------------
Dump 03:


PAGE_FAULT_IN_NONPAGED_AREA (50)

DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP

PROCESS_NAME: ntfrs.exe

FOLLOWUP_IP:
klif+1e1ff
b9a9c1ff ?? ???

SYMBOL_NAME: klif+1e1ff

MODULE_NAME: klif

IMAGE_NAME: klif.sys

FAILURE_BUCKET_ID: 0x50_klif+1e1ff

BUCKET_ID: 0x50_klif+1e1ff

-------------------------------------------------------------
Dump 04:


IRQL_NOT_LESS_OR_EQUAL (a)

DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP

PROCESS_NAME: update.exe

FOLLOWUP_IP:
klif+1eed5
b9a6bed5 ?? ???

SYMBOL_NAME: klif+1eed5

MODULE_NAME: klif

IMAGE_NAME: klif.sys

FAILURE_BUCKET_ID: 0xA_klif+1eed5

BUCKET_ID: 0xA_klif+1eed5

-------------------------------------------------------------
Dump 05:


BUGCODE_NDIS_DRIVER (7c)

DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP

PROCESS_NAME: Idle

SYMBOL_NAME: e1e5132+21f8

MODULE_NAME: e1e5132

IMAGE_NAME: e1e5132.sys

FAILURE_BUCKET_ID: 0x7C_e1e5132+21f8

BUCKET_ID: 0x7C_e1e5132+21f8

-------------------------------------------------------------
Dump 06:


PAGE_FAULT_IN_NONPAGED_AREA (50)

DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP

MODULE_NAME: afd

IMAGE_NAME: afd.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 45d6a080

FAILURE_BUCKET_ID: 0x50_afd!AfdFreePollInfo+24

BUCKET_ID: 0x50_afd!AfdFreePollInfo+24

-------------------------------------------------------------
Dump 7:


PAGE_FAULT_IN_NONPAGED_AREA (50)

DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP

PROCESS_NAME: lsass.exe

FOLLOWUP_IP:
klif+1e1ff
b9a621ff ?? ???

SYMBOL_NAME: klif+1e1ff

MODULE_NAME: klif

IMAGE_NAME: klif.sys

FAILURE_BUCKET_ID: 0x50_klif+1e1ff

BUCKET_ID: 0x50_klif+1e1ff

-------------------------------------------------------------
Dump 8:


BAD_POOL_CALLER (c2)

DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP

FOLLOWUP_IP:
klif+1e1ff
b9a031ff ?? ???

SYMBOL_NAME: klif+1e1ff

MODULE_NAME: klif

IMAGE_NAME: klif.sys

FAILURE_BUCKET_ID: 0xc2_7_Proc_klif+1e1ff

BUCKET_ID: 0xc2_7_Proc_klif+1e1ff

-------------------------------------------------------------
Dump 9:


DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)

DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP

PROCESS_NAME: System

MODULE_NAME: netbt

IMAGE_NAME: netbt.sys

FAILURE_BUCKET_ID: 0xD1_W_netbt!NbtDereferenceLowerConnection+39

BUCKET_ID: 0xD1_W_netbt!NbtDereferenceLowerConnection+39

-------------------------------------------------------------
Dump 10:


PAGE_FAULT_IN_NONPAGED_AREA (50)

DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP

PROCESS_NAME: System

FOLLOWUP_IP:
klif+12cf1
b9aafcf1 ?? ???

SYMBOL_NAME: klif+12cf1

MODULE_NAME: klif

IMAGE_NAME: klif.sys

FAILURE_BUCKET_ID: 0x50_klif+12cf1

BUCKET_ID: 0x50_klif+12cf1

-------------------------------------------------------------

Hello,

klif.sys is the driver which is responsible for file interception.

You should send all these dump files to KL technical support for analysis, you can contact them using this form.

Regards,
D.

I emailed support yesterday, but of course, this had to occur on a weekend.

However, I uninstalled KAV early this morning, and the server still crashed another four times since then. So the question is whether or not KAV uninstalls cleanly or not.

Alpine,

I'm not sure about your problems.
But you may try to update from KAV update site directly, normally I prefer directly update from Russion site,
to check whether any update it missed.
If the problem still appear, I suggest you to disconnect the server from network if possible, then disable KAVFS
and reboot to make sure KAV coz your server act abnormal bootup.
If KAVFS is causing the BSOD, I suggest you to reinstall your KAVFS again.

Hope this 2cts idea help you solve the problems.

Hello,
the easier and safest way to uninstall KAV4FS is to boot up in safe mode and run kavremover from command line (kavremover.exe kav6fs): after that you may execute a cleaning task with Ccleaner.
If you have doubts about a proper KAV uninstallation, pls check that klif.sys is not present anymore within "Driver Not Plug&Play" Device Manager area...
IMHO, your winsock is damaged and should be fixed.
Again, when you're facing with BSOD where klif.sys is the probable cause, it might help to change the way this driver starts up...you can change it from "System" (default setting) to "Automatic".
Hope this helps
Bye
M.

To give you guys an update, I believe I finally traced the issue. I'm using high quality, high performance memory on this machine - and there's nothing wrong with it. But apparently, there has been a documented but unexplained incompatibility between that memory and the Intel x38 chipset.

I'm guessing that it's because klif.sys is so constantly active, that it was simple probability that had it listed for the majority of BSODs that came up.

I'll know for certain after the new memory comes in to replace the old.

Hi ... did replacing the memory fix your problem? We're experiencing the same problem on multiple machines. Seems strange to me that it would be the memory on our systems since KAV has been running for over a year and the BSoD's just started in the last 2 months. Thanks.

It fixed the issue completely - but remember that the RAM was not replaced with identical sticks, but a different line that was known to be issue free with the chipset.

And it's not strange that the symptoms would be delayed. If you have the same problem, what's happening is that the incompatible RAM is slowly causing corruption of every single thing on the hard drives - every data file, every application, every component of the O/S. It's only a matter of time before the corruption becomes great enough that you start seeing symptoms - but you wouldn't see it at first unless you knew what to look for.

The way to tell if your RAM is the source of the issue is by using Memtest86+ (www.memtest.org). It's a free application. Download the pre-compiled bootable ISO, burn it to CD, and boot the machine with it - let it run through one complete pass (there are multiple tests being run per pass, so don't make the mistake of stopping it after the first test). It takes about 20 minutes on a fast machine, and up to an hour on a slower one. On a working machine, you should have absolutely zero errors.

On my original problem machine, I got tons of errors from the incompatible RAM. If you end up with errors, it points to a problem with the RAM, but not necessarily an incompatibility - it could just be bad RAM. But running that test is the first thing I would recommend you try.

Thanks for your very quick reply. Despite, doubting the RAM, I went ahead and downloaded the Memtest86 v2.01 and ran it against one of the most severely affected systems. Coincidently, about a month ago, I ran the Windows Memory Diagnostic RAM Testing utility. Anyway, just as I suspected, the RAM came back with ZERO errors as it had done using the other test tool. I have a hard time believing this is a hardware issue because the BSoD's all started recently. I have 12 of about 60 systems with the problem, totaling 92 crash dumps over the past 8 weeks. The blue screens are totally random and not specific to any running application. The crashes have even occurred when the system is idle and waiting for a logon.

Thanks again for your suggestions. Glad to hear you figured out your problem. Looks like I'll have to escalate this to Kaspersky Support. Wish me luck!!