Random BSOD at system boot-up [V6][M435]

Comodo Internet Security - CIS Resolved/Outdated Issues - CIS
1

A. THE BUG/ISSUE (Varies from issue to issue)
[ol]- Summary - Give a clear summary in the topic subject, NOT here.

  • Can U reproduce the problem & if so how reliably?: Yes, it happens intermittently.
  • If U can, exact steps to reproduce. If not, exactly what U did & what happened:
    When “Enable Enhanced Protection Mode” is enabled under HIPS settings, random BSODs occur at system boot-up. This also seems to be related to https://forums.comodo.com/empty-t94347.0.html
    This happened when I was running Comodo v5, but v6 exhibits the same problem.
  • If not obvious, what U expected to happen: no BSODs
  • If a software compatibility problem have U tried the conflict FAQ?: N/A
  • Any software except CIS/OS involved? If so - name, & exact version: N/A
  • Any other information, eg your guess at the cause, how U tried to fix it etc:
    Suspect driver conflict at bootup. Inspect.sys seems to be the main culprit and sometimes cmdguard.sys
  • Always attach - Diagnostics file, Watch Activity process list, dump if freeze/crash. (If complex - CIS logs & config, screenshots, video, zipped program - not m’ware)
    [/ol]

Mod edit: link to full dump, and diagnostics report, attached to post further down

B. YOUR SETUP (Likely the same for each issue, so you can copy forward)
[ol]- Exact CIS version & configuration: 6.1.276867.2813

  • Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV: see attachments. Firewall on/off makes no difference.
  • Have U made any other changes to the default config? (egs here.): N/A
  • Have U updated (without uninstall) from a CIS 5?: No, clean install of v6
    [li]if so, have U tried a a clean reinstall - if not please do?:
    [/li]- Have U imported a config from a previous version of CIS: No, clean config baseline
    [li]if so, have U tried a standard config - if not please do:
    [/li]- OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used: Win7 64bit, UAC on, Admin, no V Machine.
  • Other security/s’box software a) currently installed b) installed since OS: a=No b=No
    [/ol]

BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 0000000000000003, the pool freelist is corrupt.
Arg2: fffff80004212ab0, the pool entry being checked.
Arg3: fffff80004212ab0, the read back flink freelist value (should be the same as 2).
Arg4: fffffa8014d7f198, the read back blink freelist value (should be the same as 2).

Debugging Details:

BUGCHECK_STR: 0x19_3

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT

PROCESS_NAME: System

CURRENT_IRQL: 2

LAST_CONTROL_TRANSFER: from fffff800041b54b3 to fffff80004082c00

STACK_TEXT:
fffff88003738898 fffff800041b54b3 : 0000000000000019 0000000000000003 fffff80004212ab0 fffff80004212ab0 : nt!KeBugCheckEx
fffff880037388a0 fffff880020ba86c : 0000000000000000 fffff880037389f0 000000000000000d ffffffff00000000 : nt!ExDeferredFreePool+0xa53
fffff88003738990 fffff88004f53970 : 0000000000000000 0000000000000240 fffffa8014d70640 0000000000000000 : ndis!NdisAllocateMemoryWithTag+0x1c
fffff880037389c0 0000000000000000 : 0000000000000240 fffffa8014d70640 0000000000000000 fffffa8014d70640 : inspect+0x7970

STACK_COMMAND: kb

FOLLOWUP_IP:
nt!ExDeferredFreePool+a53
fffff800`041b54b3 cc int 3

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!ExDeferredFreePool+a53

FOLLOWUP_NAME: Pool_corruption

IMAGE_NAME: Pool_Corruption

DEBUG_FLR_IMAGE_TIMESTAMP: 0

MODULE_NAME: Pool_Corruption

FAILURE_BUCKET_ID: X64_0x19_3_nt!ExDeferredFreePool+a53

BUCKET_ID: X64_0x19_3_nt!ExDeferredFreePool+a53

Followup: Pool_corruption

[attachment deleted by admin]

2

I have 8 GB of memory, the full memory dump file is too big to upload even when zipped. Here’s more details on the the BSOD from reading the full memory dump file:

  •                                                                         *

  •                    Bugcheck Analysis                                    *

  •                                                                         *

Use !analyze -v to get detailed debugging information.

BugCheck C5, {8, 2, 1, fffff80004206147}

*** ERROR: Module load completed but symbols could not be loaded for inspect.sys
Probably caused by : inspect.sys ( inspect+d2ea )

Followup: MachineOwner

2: kd> !analyze -v

  •                                                                         *

  •                    Bugcheck Analysis                                    *

  •                                                                         *

DRIVER_CORRUPTED_EXPOOL (c5)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is
caused by drivers that have corrupted the system pool. Run the driver
verifier against any new (or suspect) drivers, and if that doesn’t turn up
the culprit, then use gflags to enable special pool.
Arguments:
Arg1: 0000000000000008, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000001, value 0 = read operation, 1 = write operation
Arg4: fffff80004206147, address which referenced memory

Debugging Details:

BUGCHECK_STR: 0xC5_2

CURRENT_IRQL: 2

FAULTING_IP:
nt!ExAllocatePoolWithTag+537
fffff800`04206147 48895808 mov qword ptr [rax+8],rbx

DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT

PROCESS_NAME: System

TRAP_FRAME: fffff880049486c0 – (.trap 0xfffff880049486c0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=fffffa80147e8198
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80004206147 rsp=fffff88004948850 rbp=0000000000001000
r8=0000000000000000 r9=fffff80004261ab0 r10=fffff80004261588
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
nt!ExAllocatePoolWithTag+0x537:
fffff80004206147 48895808 mov qword ptr [rax+8],rbx ds:0000000000000008=???
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff800040d11a9 to fffff800040d1c00

STACK_TEXT:
fffff88004948578 fffff800040d11a9 : 000000000000000a 0000000000000008 0000000000000002 0000000000000001 : nt!KeBugCheckEx
fffff88004948580 fffff800040cfe20 : 0000000000000000 ffffffff800003c4 000000000000000a fffff80004261ab0 : nt!KiBugCheckDispatch+0x69
fffff880049486c0 fffff80004206147 : fffffa80147d8c01 fffff88004948920 fffffa80147a6170 0000000000000040 : nt!KiPageFault+0x260
fffff88004948850 fffff88001e5686c : fffff88000000000 fffff88004948990 000000000000000a fffffa8000000000 : nt!ExAllocatePoolWithTag+0x537
fffff88004948940 fffff8800537b2ea : 0000000000000004 ffffffff800003c8 fffffa80147e0010 fffff88005382c80 : ndis!NdisAllocateMemoryWithTag+0x1c
fffff88004948970 fffff8800537b8ea : 0000000000000000 ffffffff800003b8 0000000000000000 0000000000000000 : inspect+0xd2ea
fffff880049489f0 fffff88005379e21 : fffffa80147e1010 0000000000000080 00000000ffffffff fffff88005382df0 : inspect+0xd8ea
fffff88004948b00 fffff8800537c956 : fffffa80147e1010 0000000000000080 00000000ffffffff fffff88005378218 : inspect+0xbe21
fffff88004948b30 fffff8000436fede : fffffa801392db50 fffff880ffffffff fffffa80147e1010 fffffa801392db50 : inspect+0xe956
fffff88004948c00 fffff800040c2906 : fffff88003972180 fffffa801392db50 fffff8800397cfc0 fffffa80135c89a0 : nt!PspSystemThreadStartup+0x5a
fffff88004948c40 0000000000000000 : fffff88004949000 fffff88004943000 fffff88004948580 0000000000000000 : nt!KiStartSystemThread+0x16

STACK_COMMAND: kb

FOLLOWUP_IP:
inspect+d2ea
fffff880`0537b2ea 413bc7 cmp eax,r15d

SYMBOL_STACK_INDEX: 5

SYMBOL_NAME: inspect+d2ea

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: inspect

IMAGE_NAME: inspect.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 5178f9a8

FAILURE_BUCKET_ID: X64_0xC5_2_inspect+d2ea

BUCKET_ID: X64_0xC5_2_inspect+d2ea

Followup: MachineOwner

2: kd> lmvm inspect
start end module name
fffff8800536e000 fffff88005389000 inspect (no symbols)
Loaded symbol image file: inspect.sys
Image path: \SystemRoot\system32\DRIVERS\inspect.sys
Image name: inspect.sys
Timestamp: Thu Apr 25 05:38:48 2013 (5178F9A8)
CheckSum: 0001820B
ImageSize: 0001B000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4

3

Please attach the Diagnostics file and the Watch Activity process list from when it is working correctly to your first post. This will still have useful information.

Also, what is the size of the full dump if compressed with 7zip set at the maximum compression level? Perhaps this will be small enough to upload to a file sharing site and post a link to.

Thank you.

4

I was reviewing my system log in event viewer and noticed the crashes often happened in the following order:

File System Filter ‘aswSnx’ (6.0, ‎2013‎-‎05‎-‎09T04:48:30.000000000Z) has successfully loaded and registered with Filter Manager.
File System Filter ‘cmdGuard’ (6.1, ‎2013‎-‎04‎-‎15T13:18:03.000000000Z) has successfully loaded and registered with Filter Manager.
BSOD
dump analysis shows inspect.sys

Which led me to these threads:
https://forums.comodo.com/install-setup-configuration-help-cis/comodo-cis-ver-5-causing-windows-7-x64-bsod-with-avast-users-t71056.0.html
https://forums.comodo.com/news-announcements-feedback-cis/enhanced-protection-mode-causing-bsod-t78995.0.html
https://forums.comodo.com/firewall-help-cis/avast-claims-comodo-fw-bug-t70915.0.html
https://forums.comodo.com/firewall-help-cis/comodo-causes-blue-screen-with-avast-antivirus-t78541.0.html

And most recently:

Your engineer “RickWang” (from the older posts) if he still works at Comodo may be able to take a look at the this issue. I will try a couple other things and report back. If I can reproduce this in a virtual machine I will attach a full memory dump.

5

Thank you. If possible a full memory dump would be very helpful.

Also, please attach the diagnostics report and process list to your first post. The information there will be helpful as well.

Thanks.

6

PM sent.

7

I was able to reproduce this twice in a virtual machine. The first one was BAD_POOL_HEADER as usual, the second one was something else, unfortunately, the second dump overwrote the first one, so I lost the BAD_POOL_HEADER one that is usually related to inspect.sys. The second BSOD shows ntkrnlmp.exe, which I also see from time to time, and I can include the full dump for it.

[attachment deleted by admin]

8

Another dump analysis, if it helps, on cmdguard.sys:

  •                                                                         *

  •                    Bugcheck Analysis                                    *

  •                                                                         *

Use !analyze -v to get detailed debugging information.

BugCheck 19, {3, fffffa8014d70010, 0, fffffa8014d70010}

*** WARNING: Unable to verify timestamp for cmdguard.sys
*** ERROR: Module load completed but symbols could not be loaded for cmdguard.sys
Probably caused by : Pool_Corruption ( nt!ExDeferredFreePool+cbb )

Followup: Pool_corruption

0: kd> !analyze -v

  •                                                                         *

  •                    Bugcheck Analysis                                    *

  •                                                                         *

BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 0000000000000003, the pool freelist is corrupt.
Arg2: fffffa8014d70010, the pool entry being checked.
Arg3: 0000000000000000, the read back flink freelist value (should be the same as 2).
Arg4: fffffa8014d70010, the read back blink freelist value (should be the same as 2).

Debugging Details:

BUGCHECK_STR: 0x19_3

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT

PROCESS_NAME: wininit.exe

CURRENT_IRQL: 2

LAST_CONTROL_TRANSFER: from fffff800041be70f to fffff8000408bc00

STACK_TEXT:
fffff88003312b38 fffff800041be70f : 0000000000000019 0000000000000003 fffffa8014d70010 0000000000000000 : nt!KeBugCheckEx
fffff88003312b40 fffff800041bf4f1 : fffffa801466c6e0 fffffa80146dc2b0 0000000000000000 00000000000007ff : nt!ExDeferredFreePool+0xcbb
fffff88003312bd0 fffff88004f972b8 : fffffa8014d6c000 fffff88004f62474 8000000130396743 0000000000000608 : nt!ExFreePoolWithTag+0x411
fffff88003312c80 fffffa8014d6c000 : fffff88004f62474 8000000130396743 0000000000000608 0000000400000006 : cmdguard+0x4b2b8
fffff88003312c88 fffff88004f62474 : 8000000130396743 0000000000000608 0000000400000006 fffff88004f9779a : 0xfffffa8014d6c000 fffff88003312c90 8000000130396743 : 0000000000000608 0000000400000006 fffff88004f9779a fffff88004fea500 : cmdguard+0x16474 fffff88003312c98 0000000000000608 : 0000000400000006 fffff88004f9779a fffff88004fea500 0000000000000000 : 0x8000000130396743
fffff88003312ca0 0000000400000006 : fffff88004f9779a fffff88004fea500 0000000000000000 fffff88004fed640 : 0x608
fffff88003312ca8 fffff88004f9779a : fffff88004fea500 0000000000000000 fffff88004fed640 fffffa8014d6c000 : 0x0000000400000006 fffff88003312cb0 fffff88004fea500 : 0000000000000000 fffff88004fed640 fffffa8014d6c000 fffffa8014d75000 : cmdguard+0x4b79a fffff88003312cb8 0000000000000000 : fffff88004fed640 fffffa8014d6c000 fffffa8014d75000 fffff880`04f6032d : cmdguard+0x9e500

STACK_COMMAND: kb

FOLLOWUP_IP:
nt!ExDeferredFreePool+cbb
fffff800`041be70f cc int 3

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!ExDeferredFreePool+cbb

FOLLOWUP_NAME: Pool_corruption

IMAGE_NAME: Pool_Corruption

DEBUG_FLR_IMAGE_TIMESTAMP: 0

MODULE_NAME: Pool_Corruption

FAILURE_BUCKET_ID: X64_0x19_3_nt!ExDeferredFreePool+cbb

BUCKET_ID: X64_0x19_3_nt!ExDeferredFreePool+cbb

Followup: Pool_corruption

9

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Many thanks again

10

Can you please check and see if this is fixed with the newest version (6.2.282872.2847)? Please let us know whether it is fixed or you are still experiencing the problem.

Thank you.

PM sent.

11

Can you please check and see if this is fixed with the newest version (6.3.294583.2937)? Please let us know whether it is fixed or you are still experiencing the problem.

Thank you.

PM sent.

12

The devs have been unable to reproduce this issue. Are you still experiencing it?

If so try uninstalling Avast to see if it is a compatibility issue. Let me know what you find.

Thank you.

13

The devs have not been able to replicate this. Also, as there has not been a response to my inquiries, the devs have assumed that this is fixed for CIS version 7.0.313494.4115. I will therefore move this to Resolved.

If this is still not fixed for you please both respond to this topic and send me a PM (including a link to this bug report).

Thank you.