BSODs (BAD_POOL_HEADER) w/ Malicious Website Protection

Jekko · June 9, 2014

I've replicated the Windows Driver Verifier and have let our Development team know as well as given them all available memory dumps.

@anachromat - I have been unable to replicate the BAD_POOL_HEADER BSOD thus far. I have a few questions for you if you don't mind:

Aside from what you've mentioned, are there other replication steps or hints you can give us? AFAIK, the steps are to enable malicious website protection on Vista x64 and browse the internet normally and you will get a random BSOD.
How long does it take on average for this BSOD to occur?
I also noticed that your MWAC.sys file has a different MD5 when comparing it to the MWAC.sys from a fresh installation. I have attached the logs. They have the same version string but a different size and MD5.
- Because of this, I am suggesting you do another mbam-clean and reinstall on this system (as we already have memory dumps for the other issues so let's see if we can try to find a fix or workaround while development is looking into the dumps.).
- Please do the following:
  1. Download MBAM-Clean: http://downloads.malwarebytes.org/file/mbam_clean
  2. Ensure MBAM is still installed.
  3. Ensure MBAM self-protection is not enabled. (It can be found under Advanced Settings)
  4. Run MBAM-Clean.
  5. Reboot (You will be prompted).
  6. Run MBAM-Check.
  7. Send me the MBAM-Check Log. (or post it here)
  8. Reinstall MBAM 2.0.2.1012: http://www.malwarebytes.org/mwb-download/

Let's go with this for now. If you have any questions, please don't hesitate to ask. Also, if you would rather not try to find a work around or fix before that to keep you system as it is for when we get a build to specifically address the issue, that is an acceptable option as well. Please let me know what you decide to do.

mbam-check-Vista-anachromat.txt

mbam-check-Vista-Fresh-Install.txt

anachromat · June 9, 2014

Hi, Jekko - happy to do that stuff, but before I do I have a question for you: the fresh install log you posted is for a Vista 64-bit system, but my Vista is 32-bit. Do you expect mwac.sys to be identical between 32-bit and 64-bit systems? I ask because, buried in one of the posts above, I noted that a fresh-install mwac.sys on a 64-bit Win7 system differed in size and checksum from the mwac.sys on my 32-bit Vista system. If you say 32-bit vs 64-bit shouldn't make any difference to mwac.sys on Vista, then happy to do another clean install; but otherwise I'd rather avoid more churn.

I'm afraid there's not much I can say about when the BSODs happen. They never occur when Malicious Website Protection (MWP) is disabled. When MWP is enabled, and when not running Driver Verifier, the shortest time to failure I've seen has been about 2 hours, and the longest about 2 days. The average is close to 1 day between BAD_POOL_HEADER crashes. But when Driver Verifier is watching mwac.sys, it's impossible not to see a failure within a minute ;-)

There's no pattern to what I'm doing when they occur. I generally have both Chrome and Firefox running, both open for about 12 hours per day. Most often I see a BAD_POOL_HEADER BSOD after loading a page, but at least one time I hadn't touched the keyboard or mouse for at least 10 minutes. But, e.g., at least one browser always has Facebook open, and Facebook updates parts of the page on its own from time to time, so "I'm not touching the keyboard or mouse" doesn't imply "no Internet activity". And from time to time Gmail (which I also always have open) updates part of its page too; etc.

anachromat · June 9, 2014

CheckResults_AFTER.txt CheckResults_BEFORE.txt@Jekko, I went ahead and followed the steps you asked for. By "Run MBAM-Check" I assumed you mean mbam-check-2.1.0.0002.exe. and by "MBAM-Check Log" I assumed you mean the resulting CheckResults.txt file.

I'm attaching two of the latter. The BEFORE is after rebooting but before installing Malwarebytes again. I think it shows that all the Malwarebytes files were in fact deleted. The AFTER is immediately after installing Malwarebytes again. It shows the same file size and MD5 digest for mwac.sys as I've always seen on my Vista box (i.e., no change!). The installer file was named mbam-setup-2.0.2.1012.exe. The cleaner executable was mbam-clean-2.0.2.0.exe.

In other news, I also uninstalled McAfee Security Scan Plus (never wanted it to begin with ) and Spybot S&D (it's never found anything to do except delete tracking cookies - more bother than it's been worth for me).

Jekko · June 9, 2014

Thanks for attempting that. We will have to put our trust in development to fix it then. I will let you know if there are any updates from our side. Until then, please continue however you would like.

Another alternative until the problem is fixed is to go back to 1.75.0.1300 temporarily. The UI isn't as fancy, but it gets the job done just the same. :lol:

anachromat · June 10, 2014

@Jekko, another possibility is to pursue getting a 32-bit mwac.sys that can run for more than a few seconds without causing Driver Verifier to bugcheck. I still don't know whether that's unique to my 32-bit system, though.

The point is that memory corruption errors are far easier to diagnose if the code doing the corruption can be caught in the act, and Driver Verifier's "special pool" option is the best way I know of to establish a good chance of achieving that. But I can't use that on this system because it bugchecks within seconds every time due to another cause (complaining that mwac.sys is requesting a 0-byte allocation - which probably isn't related to my regular BSODs). BTW, after doing the clean install again, it's still true that I can't make any progress with Driver Verifier; that's not surprising, since mwac.sys didn't change.

Anyway, since I made some other potentially relevant changes (uninstalling the remnants of McAfee & SpyBot), the honorable thing for me to do now is re-enable Malicious Website Protection and see whether the original BSODs still occur. So I did that. More later, I bet .

anachromat · June 10, 2014

The next BAD_POOL_HEADER BSOD occurred about 19 hours later, although the machine was powered down for about 10 of those hours. I'll attach the mini-dump - looks very much like all the others. At the time I was scrolling down my Facebook News Feed - nothing I hadn't been doing all along. @Jekko, if you want the full MEMORY.DMP, just say so. I've disabled MWP again.

Mini061014-01.zip

aparsons · June 13, 2014

Mate,

This might provide more information.

Could you please download procdump from HERE.

Run a command prompt as Administrator and type in:

procdump -e 1 <processid> c:\Windows e.g procdump -e1 2944 c:\Windows

If/When the mbamservice.exe process crashes procdump should catch the 1st chance exception. Which, I'm hoping will contain more information.

aparsons · June 13, 2014

Sorry that would be the process ID of the mbamservice.exe

Jekko · June 13, 2014

Anachromat, (and any other user this applies to)

We have confirmed that the BSOD reported while running Windows Verifier has been fixed and will be included in the next release.

In regards to the BAD_POOL_HEADER issue, we are still looking into that so please stay tuned.

anachromat · June 14, 2014

Anachromat, (and any other user this applies to)

We have confirmed that the BSOD reported while running Windows Verifier has been fixed and will be included in the next release.

...

FYI, I assume this refers to the Verifier BSOD reported by Mike406 on Win7 64-bit and not to the multiple Verifier BSODs I talked about on Vista 32-bit. Fine by me, just trying to be clear.

anachromat · June 14, 2014

Mate,

This might provide more information.
Could you please download procdump from HERE.

Run a command prompt as Administrator and type in:
procdump -e 1 <processid> c:\Windows e.g procdump -e1 2944 c:\Windows
If/When the mbamservice.exe process crashes procdump should catch the 1st chance exception. Which, I'm hoping will contain more information.

I enjoy random thrashing too .

This did produce a dump for a first-chance exception, but like most first-chance exceptions it did not crash the program - MBAM went on to handle it itself.

I'll attach the dump file in case you think there's something interesting in it (nothing in it looked notable to me).

mbamservice.exe_140613_193139.zip

aparsons · June 14, 2014

Mate,

Thanks for providing that information, I appreciate it.

Could you try the 2nd chance exception by changing the -e 1 to -e 2

procdump -e 2 <processid> c:\Windows e.g procdump -e 2 2944 c:\Windows

anachromat · June 15, 2014

Mate,

Thanks for providing that information, I appreciate it.

Could you try the 2nd chance exception by changing the -e 1 to -e 2
procdump -e 2 <processid> c:\Windows e.g procdump -e 2 2944 c:\Windows

Was worth a try . Alas, when the next BSOD occurred, procdump did not create a dump file - only the Windows dump files were left behind. Perhaps a kernel bugcheck doesn't count as "an (ordinary) exception" in this context? Or perhaps it does, but the procdump dump file wasn't written to disk before Windows shut itself down? Don't know. In any case, I'll attach the Windows mini-dump. Same old, same old.

Before the crash, procdump recorded several first-chance exceptions in the command window, but they don't appear to be relevant (and occurred at times "far" removed from the BSOD):

[16:09:26] Exception: E06D7363.?AVException@util@mb@@[16:09:26] Exception: E06D7363.?AVException@util@mb@@[16:09:26] Exception: E06D7363.?AVException@util@mb@@[16:09:26] Exception: E06D7363.?AVException@util@mb@@[17:09:26] Exception: E06D7363.?AVException@util@mb@@[17:09:27] Exception: E06D7363.?AVException@util@mb@@[17:09:27] Exception: E06D7363.?AVException@util@mb@@[17:09:27] Exception: E06D7363.?AVException@util@mb@@[18:09:26] Exception: E06D7363.?AVException@util@mb@@[18:09:26] Exception: E06D7363.?AVException@util@mb@@[18:09:26] Exception: E06D7363.?AVException@util@mb@@[18:09:26] Exception: E06D7363.?AVException@util@mb@@[18:12:51] Exception: 000006BB[18:13:18] Exception: 000006BB[18:13:18] Exception: 000006BB[18:13:18] Exception: 000006BB

So every hour something wakes up and throws 4 C++ exceptions (E06D7363) in quick succession, and 000006BB seems harder to track down But MBAM handled all those exceptions itself, and the last one occurred more than 40 minutes before the BSOD. It's possible there was more output in that window I never saw, though.

Mini061414-01.zip

ncs · June 15, 2014

For what it's worth, I've also been getting the Bad Pool Header BSOD since using the new MBAM. Once about 5 days ago, and once this morning. I also have the malicious website protection active. I see there's a few other threads with people reporting the same issue also. I don't have the technical knowledge (or desire) to get involved tracking down the issue to the level that some do, but I just wanted to let you know there's another case of this happening. I'm guessing many more are having the problem, but haven't connected it to MBAM yet. I hope you'll reply here again soon with a progress report, even if it isn't solved yet. I'm concerned it may be due to malware that's messing with the MBAM files themselves, in an attempt to disable it or fool it? Is that possible? Thanks.

anachromat · June 15, 2014

@ncs, you should really open a new issue about that! There's no way to guess whether your problems may or may not have the same cause unless you run a few tools and post a few log files. If you open a new report, someone will reply with detailed instructions about how to do that. It would help.

I strongly doubt my problem, or the other reports of BAD_POOL_HEADER BSODs currently active on this forum, are due to malware, but nobody can be certain until the true causes are determined. I have decades of experience tracking down memory corruption errors reported by dynamic memory allocators and garbage collection systems, and this "smells like a typical one of those". Although my experience is in the context of various programming language support libraries, and not in the context of Windows driver development, so my intuition may be wrong :huh: . If you post your log files (see above), someone can look at them and make a pretty good guess as to whether your computer shows signs of infection. The other reports here have already done that, and are still open because they don't show clear signs of infection.

In any case, good luck

crisoliv · October 7, 2015

Anachromat, (and any other user this applies to)

We have confirmed that the BSOD reported while running Windows Verifier has been fixed and will be included in the next release.

In regards to the BAD_POOL_HEADER issue, we are still looking into that so please stay tuned.

Hello, was the BAD_POOL_HEADER issue fixed anytime? Right now, i´m only using MBAM on demand (it is not starting with Windows) and i don´t have that BSoD doing this way for 1 week. I was having the BAD_POOL_HEADER many times when loading webpages like (Facebook, Newspapers, etc,) with lots of links/images. So im asking that because i really like MBAM and i would like to have it running 100% of time in my machine.

And no, im not going to do those dozens of tests with logs, because to not have MBAM running on my machine already fixed my problem, thats the reason i´m asking if the BAD_POOL_HEADER issue was fixed? Looks like it wasnt fixed yet.

Windows 10 PRO here.

daledoc1 · October 7, 2015

Hello, was the BAD_POOL_HEADER issue fixed anytime? Right now, i´m only using MBAM on demand (it is not starting with Windows) and i don´t have that BSoD doing this way for 1 week. I was having the BAD_POOL_HEADER many times when loading webpages like (Facebook, Newspapers, etc,) with lots of links/images. So im asking that because i really like MBAM and i would like to have it running 100% of time in my machine.

And no, im not going to do those dozens of tests with logs, because to not have MBAM running on my machine already fixed my problem, thats the reason i´m asking if the BAD_POOL_HEADER issue was fixed? Looks like it wasnt fixed yet.

Windows 10 PRO here.

Actually, this thread is over 15 months old and based on a long-outdated version of MBAM.

The problem at that time was solved long ago.

Moreover each computer is unique, and BSOD can have many different causes (hardware problems, driver issues, even malware (rootkits)).

We would need to know a bit more about your computer in order to better assist you.

So, if you would like assistance with your computer, for starters, we respectfully suggest that you please read the following and attach to your next reply the 3 requested logs - Diagnostic Logs (the 3 logs are: FRST.txt, Addition.txt and CheckResults.txt)

(Additional information, such as dump files, may be needed, as well.)

Thank you,

P.S. As this thread is old and cluttered, the forum staff may split off your post to a new, separate thread for better, customized assistance. No worries, though.

BSODs (BAD_POOL_HEADER) w/ Malicious Website Protection

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information