WFP driver compatibility with KTS in v6.2 Beta

[skipik]

I got a BSOD today: SYSTEM_SERVICE_EXCEPTION 0x0000003b

My OS: Windows 10 15063.14 v1703 Pro (x64).
Adguard: 6.2.346.1819 Beta.
KTS: Kaspersky Total Security 18.0.0.405(a).

I have Stealth Mode enabled where I only set to block Location API. The WebRTC thing is unchecked.

This is a minidump and a full memory dump (RAR5): https://yadi.sk/d/H1yslxSZ3GqYdM

[ameshkov]

Minidump analysis:

ADDITIONAL_DEBUG_TEXT:  

Use '!findthebuild' command to search for the target build information.

If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

MODULE_NAME: NETIO

FAULTING_MODULE: fffff801d6404000 nt

DEBUG_FLR_IMAGE_TIMESTAMP:  0

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP: 
NETIO+10091
fffff80f`e29b0091 483988b0000000  cmp     qword ptr [rax+0B0h],rcx

CONTEXT:  ffff9800655bd140 -- (.cxr 0xffff9800655bd140)
rax=0000000000000000 rbx=ffff9800655bdeb0 rcx=0000000000000000
rdx=ffffe586fa66b6a0 rsi=0000000000000000 rdi=ffffe586f02a4280
rip=fffff80fe29b0091 rsp=ffff9800655bdb40 rbp=ffff9800655bdc21
 r8=0000000000000000  r9=0000000000000000 r10=fffff80fe2a0da80
r11=ffff9800655bdb20 r12=0000000000000001 r13=ffffe586f5692f01
r14=ffff9800655be340 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
NETIO+0x10091:
fffff80f`e29b0091 483988b0000000  cmp     qword ptr [rax+0B0h],rcx ds:002b:00000000`000000b0=????????????????
Resetting default scope

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

BUGCHECK_STR:  0x3B

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from ffffe586fa8b9da0 to fffff80fe29b0091

STACK_TEXT:  
ffff9800`655bdb40 ffffe586`fa8b9da0 : ffff9800`655bdc21 00000000`00000000 ffff9800`655bdeb0 ffff9800`655bdbb8 : NETIO+0x10091
ffff9800`655bdb48 ffff9800`655bdc21 : 00000000`00000000 ffff9800`655bdeb0 ffff9800`655bdbb8 ffff9800`655bdcb0 : 0xffffe586`fa8b9da0
ffff9800`655bdb50 00000000`00000000 : ffff9800`655bdeb0 ffff9800`655bdbb8 ffff9800`655bdcb0 ffffe586`f4db4040 : 0xffff9800`655bdc21


FOLLOWUP_IP: 
NETIO+10091
fffff80f`e29b0091 483988b0000000  cmp     qword ptr [rax+0B0h],rcx

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  NETIO+10091

FOLLOWUP_NAME:  MachineOwner

IMAGE_NAME:  NETIO.SYS

STACK_COMMAND:  .cxr 0xffff9800655bd140 ; kb

BUCKET_ID:  WRONG_SYMBOLS

Followup: MachineOwner

[skipik]

@ameshkov Any info about this bug? Am I the only one with such problem? I'd be very grateful if you told me some workaround cus I don't want to get a BSOD at the most inopportune moment again. :)

Look at this btw:

1. http://forum.ru-board.com/topic.cgi?forum=5&topic=31105&start=3920#4
2. http://forum.ru-board.com/topic.cgi?forum=5&topic=31105&start=3920#16

[ameshkov]

@skipik looks like the old issue we've in #1565, a bit different though (and does not happen that often).

I guess it should happen without the Stealth Mode as well. The only 100% way to fix it is to get back the old approach (which required disabling HTTPS scanning in KIS).

However, I'd like to avoid it at least in the default configuration as this type of BSODs seems to be really rare (you're the only one so far). What I am thinking about is introducing a low-level "kis compatibility" switch.

[skipik]

@ameshkov I still have BSODs sometimes. Now we're testing KIS / KTS 19 Beta with the Kaspersky guys and I have sent all my new dumps to them. So I hope that they can finally fix it. :)

[vozersky]

New consolidated issue about bsods