denial Posted October 31, 2017 ID:1177833 Share Posted October 31, 2017 Hello, today i noticed issue with anti ramsomware beta 797 and 807 - when i start Call of Duty Modern Warfare 3 - Multiplayer, i got always bluescreeen 7E, unless ARW is stopped or uninstalled. i was using both many months without any issue. could you please advise on this? i have now uninstalled it and the game works well. Thanks 103117-35895-01.dmp Link to post Share on other sites More sharing options...
Staff tetonbob Posted October 31, 2017 Staff ID:1177861 Share Posted October 31, 2017 (edited) Greetings @denial The minidump doesn't directly implicate the ARW protection driver farflt.sys but as the issue is only present on your system with MBARW active or installed, we'd like to investigate further. Our developers always request a complete memory dump rather than a minidump We just yesterday released a new Component Update package to the 0.9.18.807 platform, version 1.1.117 It has several stability improvements. If you can consistently reproduce this issue, would you mind reinstalling MBARW, and let it update to the latest Component Update (CU) before attempting to run your game? Configure Windows to create crash dumps on failures and not to restart automatically on system failure: • Press the Windows key + R • In the Run box type or copy/paste the following and press Enter or click on OK: control sysdm.cpl • Once the System Properties dialog opens, click on the Advanced tab. • Click on the 'Settings...' button located under 'Startup and Recovery'. • Under System failure make certain that 'Automatically restart' is unchecked. If it is checked, uncheck it. • Click the drop-down menu under Write debugging information and select 'Complete memory dump' if that option is not already selected. • Make certain that you know the path where the dumps are saved, which by default will be %SystemRoot%\MEMORY.DMP. (%SystemRoot% is typically C:\Windows) • Make certain that 'Overwrite any existing file' is checked. If it is unchecked, check it. • Click on OK, then on the next screen click OK to close it. You will need to restart your system before these settings are fully enabled. Should a system crash (BSOD) occur, please write down the significant information displayed, such as the file name indicated in the BSOD as well as any alpha-numeric error codes, so that you may provide them to the developers. In addition, should such a crash (BSOD) occur, please provide the memory dump created by Windows. It will be located at C:\MEMORY.DMP and will need to be copied out of that directory before additional handling can take place. Please zip and upload it to Wetransfer or a similar file uploading service, and provide the download link for that file.https://www.wetransfer.com/ In addition, please provide the log file created by our arwlogs tool. Next, we need to gather additional information to assist with our analysis. arwlogs.exe is an information gathering tool that neither installs nor does it make system/registry hive changes. Download the trusted, Malwarebytes authored arwlogs.exe utility/tool and save only to a system Administrator's desktop of the system in question. Single right-click the arwlogs.exe icon and select Run as administrator from the Windows context menu. If a Windows User Account Control (UAC) alert/prompt for arwlogs.exe appears, select the "Yes" button to continue. If a Windows SmartScreen warning alert/prompt for arwlogs.exe appears, select "More info" then select the "Run anyway" button to continue. A Command window will appear and its contents may be mostly ignored. When "Press any key to continue . . . " appears at the bottom of the Command window, type any Enter key to close the window. A zipped archive (yyyy-mm-dd-{COMPUTERNAME}.zip) should have been generated to the system Administrator's desktop. Attach the above-zipped archive to your next reply in this topic. Delete arwlogs.exe from the Administrator desktop. Edited October 31, 2017 by tetonbob Link to post Share on other sites More sharing options...
denial Posted October 31, 2017 Author ID:1177927 Share Posted October 31, 2017 Hello, so i was able to replicate it using ARB 0.9.18.807-1.1.117 the arwlogs zip is large to be attached to this message, so it is here https://mega.nz/#!GdERXKYK!spNZeGl0IM_ne5G83gTdRRxTybDH8Jop-5ihV9U0U9w and the full memory dump is here https://mega.nz/#!fYFlmIDB!_52fkXh1Ul8H2MZlSCzo8nOQsxInO_vXuw_jJFqsufw i have installed also anti exploit 1.10.1.41 but i disabled it before the crash. Thanks -- ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 7E, {ffffffffc0000005, fffff880014c70b2, fffff8800964f858, fffff8800964f0c0} Probably caused by : fltmgr.sys ( fltmgr!FltpCompleteCompletionNode+32 ) Followup: MachineOwner --------- 2: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Arguments: Arg1: ffffffffc0000005, The exception code that was not handled Arg2: fffff880014c70b2, The address that the exception occurred at Arg3: fffff8800964f858, Exception Record Address Arg4: fffff8800964f0c0, Context Record Address Debugging Details: ------------------ DUMP_CLASS: 1 DUMP_QUALIFIER: 402 BUILD_VERSION_STRING: 7601.23915.amd64fre.win7sp1_ldr.170913-0600 DUMP_TYPE: 0 BUGCHECK_P1: ffffffffc0000005 BUGCHECK_P2: fffff880014c70b2 BUGCHECK_P3: fffff8800964f858 BUGCHECK_P4: fffff8800964f0c0 EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. FAULTING_IP: fltmgr!FltpCompleteCompletionNode+32 fffff880`014c70b2 488b4810 mov rcx,qword ptr [rax+10h] EXCEPTION_RECORD: fffff8800964f858 -- (.exr 0xfffff8800964f858) ExceptionAddress: fffff880014c70b2 (fltmgr!FltpCompleteCompletionNode+0x0000000000000032) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000000 Parameter[1]: 0000000000000010 Attempt to read from address 0000000000000010 CONTEXT: fffff8800964f0c0 -- (.cxr 0xfffff8800964f0c0) rax=0000000000000000 rbx=fffffa8006703430 rcx=fffffa8006703430 rdx=0000000000000001 rsi=fffffa800679fc10 rdi=fffffa80067035e8 rip=fffff880014c70b2 rsp=fffff8800964fa90 rbp=fffffa80067034e0 r8=fffffa80067034e0 r9=0000000000000000 r10=0000000000000000 r11=fffffa80067035c8 r12=fffffa800b1db100 r13=0000000000000001 r14=fffff8800964fba8 r15=0000000000000001 iopl=0 nv up ei pl zr na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246 fltmgr!FltpCompleteCompletionNode+0x32: fffff880`014c70b2 488b4810 mov rcx,qword ptr [rax+10h] ds:002b:00000000`00000010=???????????????? Resetting default scope PROCESS_NAME: System CURRENT_IRQL: 0 ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_CODE_STR: c0000005 EXCEPTION_PARAMETER1: 0000000000000000 EXCEPTION_PARAMETER2: 0000000000000010 READ_ADDRESS: 0000000000000010 FOLLOWUP_IP: fltmgr!FltpCompleteCompletionNode+32 fffff880`014c70b2 488b4810 mov rcx,qword ptr [rax+10h] BUGCHECK_STR: 0x7E DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE ANALYSIS_SESSION_HOST: PAD ANALYSIS_SESSION_TIME: 10-31-2017 22:57:13.0913 ANALYSIS_VERSION: 10.0.10586.567 amd64fre LAST_CONTROL_TRANSFER: from fffff880014cb8ab to fffff880014c70b2 STACK_TEXT: fffff880`0964fa90 fffff880`014cb8ab : fffffa80`06703430 fffffa80`067034e0 fffffa80`0679fc10 fffffa80`06703500 : fltmgr!FltpCompleteCompletionNode+0x32 fffff880`0964fac0 fffff880`014f473d : fffffa80`067035e8 fffffa80`0bb48c10 fffff880`0d3b7640 fffffa80`06703430 : fltmgr!FltCompletePendedPostOperation+0xbb fffff880`0964fb10 fffff800`02ec6085 : fffff880`014f4680 fffff800`030642a0 fffffa80`0b04da00 fffffa80`06703430 : fltmgr!FltpSafeCompletionWorker+0xbd fffff880`0964fb70 fffff800`03156622 : 00000000`019ca1cc fffffa80`0b04da00 00000000`00000080 fffffa80`06133970 : nt!ExpWorkerThread+0x111 fffff880`0964fc00 fffff800`02eadda6 : fffff880`009e5180 fffffa80`0b04da00 fffff880`009f00c0 fffffa80`060f7d50 : nt!PspSystemThreadStartup+0x5a fffff880`0964fc40 00000000`00000000 : fffff880`09650000 fffff880`0964a000 fffff880`0964f8a0 00000000`00000000 : nt!KiStartSystemThread+0x16 THREAD_SHA1_HASH_MOD_FUNC: f95e70e95128b606f690588d868d0f822c4ff374 THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 2360c3d87223f87de6772785076c6656096377ec THREAD_SHA1_HASH_MOD: e06a8e1d654fec570c2ad25485278673f5e4f7b8 FAULT_INSTR_CODE: 10488b48 SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: fltmgr!FltpCompleteCompletionNode+32 FOLLOWUP_NAME: MachineOwner MODULE_NAME: fltmgr IMAGE_NAME: fltmgr.sys DEBUG_FLR_IMAGE_TIMESTAMP: 4ce7929c STACK_COMMAND: .cxr 0xfffff8800964f0c0 ; kb FAILURE_BUCKET_ID: X64_0x7E_fltmgr!FltpCompleteCompletionNode+32 BUCKET_ID: X64_0x7E_fltmgr!FltpCompleteCompletionNode+32 PRIMARY_PROBLEM_CLASS: X64_0x7E_fltmgr!FltpCompleteCompletionNode+32 TARGET_TIME: 2017-10-31T21:55:50.000Z OSBUILD: 7601 OSSERVICEPACK: 1000 SERVICEPACK_NUMBER: 0 OS_REVISION: 0 SUITE_MASK: 272 PRODUCT_TYPE: 1 OSPLATFORM_TYPE: x64 OSNAME: Windows 7 OSEDITION: Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS OS_LOCALE: USER_LCID: 0 OSBUILD_TIMESTAMP: 2017-09-13 16:55:13 BUILDDATESTAMP_STR: 170913-0600 BUILDLAB_STR: win7sp1_ldr BUILDOSVER_STR: 6.1.7601.23915.amd64fre.win7sp1_ldr.170913-0600 ANALYSIS_SESSION_ELAPSED_TIME: 4ef ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:x64_0x7e_fltmgr!fltpcompletecompletionnode+32 FAILURE_ID_HASH: {24880b1e-7557-860c-a16f-2fd44f3a308e} Followup: MachineOwner --------- 2: kd> lmvm fltmgr Browse full module list start end module name fffff880`014bb000 fffff880`01507000 fltmgr (pdb symbols) C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\sym\fltMgr.pdb\A008BBBF87CC421FA0E568076A16F4BA2\fltMgr.pdb Loaded symbol image file: fltmgr.sys Image path: \SystemRoot\system32\drivers\fltmgr.sys Image name: fltmgr.sys Browse all global symbols functions data Timestamp: Sat Nov 20 10:19:24 2010 (4CE7929C) CheckSum: 0005452D ImageSize: 0004C000 Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4 Link to post Share on other sites More sharing options...
Staff tetonbob Posted October 31, 2017 Staff ID:1177933 Share Posted October 31, 2017 Hi @denial- thanks for providing this information. I'd like to ask a couple of followup questions if I may. Does this only happen when playing Call of Duty? Are there any unusual installation characteristics for CoD or your OS in general? Would you mind running one more diagnostic tool for us? Create and obtain Farbar Recovery Scan Tool (FRST) logs Download FRST and save it to your desktopNote: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit Double-click to run FRST and when the tool opens click "Yes" to the disclaimer Press the "Scan" button This will product two files in the same location (directory) as FRST: FRST.txt and Addition.txt Please attach those files in reply. I'll provide all this information to our developers. Link to post Share on other sites More sharing options...
denial Posted October 31, 2017 Author ID:1177943 Share Posted October 31, 2017 Hello, i'm not aware of anything unusual possibly related ... Yes, so far it happens only with CoD:MW3. It was working well ~2 days ago when i played it last time. Thanks FRST.zip Link to post Share on other sites More sharing options...
Staff tetonbob Posted October 31, 2017 Staff ID:1177949 Share Posted October 31, 2017 Thank you for the logs. It will take some time to analyze. For now you'll need to disable MBARW while you run CoD:MW3. Link to post Share on other sites More sharing options...
JohnSmith1 Posted November 1, 2017 ID:1178081 Share Posted November 1, 2017 Hello, I would like to +1 this issue with the new update. There are ~20 developers in my office and we all use MBARW for sometime now. Yesterday, everyone in my office started getting BSODs at what seemed to be random times (by analyzing the logs in "C:\ProgramData\Malwarebytes\MB3Service\logs", we later realized that it was because we've received the update at different times). We debugged the issue to be a conflict between the Microsoft C# compiler (csc.exe) and the MB3service. NOTE: all of us got a different BSOD messages and since our PCs crashed multiple times before we found the problem, I can confirm that the BSOD message was always random, even when we did multiple tests on the same PC. Best regards, J Link to post Share on other sites More sharing options...
Staff tetonbob Posted November 1, 2017 Staff ID:1178125 Share Posted November 1, 2017 (edited) @JohnSmith1- can you confirm what version you are using? What is shown in the title bar of Malwarebytes Anti-Ransomware? Can you provide a Complete memory dump from any or several of the systems affected? Edited November 1, 2017 by tetonbob Link to post Share on other sites More sharing options...
JohnSmith1 Posted November 1, 2017 ID:1178134 Share Posted November 1, 2017 Hi, We are using MBARW (beta) 0.9.18.797-1.1.117 I'll try to find a full dump and upload it somewhere for you. Best regards, J Link to post Share on other sites More sharing options...
Staff tetonbob Posted November 1, 2017 Staff ID:1178135 Share Posted November 1, 2017 Thank you, JohnSmith1. Link to post Share on other sites More sharing options...
Staff tetonbob Posted November 1, 2017 Staff ID:1178142 Share Posted November 1, 2017 @JohnSmith1 - a couple of additional questions. What type(s) of activities were being performed at the time of the BSOD on your team's machines? If you add an exclusion for the csc.exe or it's parent folder, does that alleviate the issue? Link to post Share on other sites More sharing options...
atariguy Posted November 1, 2017 ID:1178155 Share Posted November 1, 2017 (edited) I am also having this issue. Starting this morning (when restarting my computer for the first time in weeks) I consistently get a BSOD when trying to start Sybase SQL Anywhere 11. It gives stop code 0x0000007E and points to fltmgr.sys. After having this happen several times, I remembered the last time I was getting BSODs it was the anti-ransomware that was at fault. So I turned it off and that fixed the problem, meaning it's once again the culprit. It is version 0.9.18.797-1.1.117 Edited November 1, 2017 by atariguy added mbarw version Link to post Share on other sites More sharing options...
Staff tetonbob Posted November 1, 2017 Staff ID:1178157 Share Posted November 1, 2017 @atariguy- Do you have a Complete memory dump from the crash? Link to post Share on other sites More sharing options...
Staff hmartinez Posted November 1, 2017 Staff ID:1178158 Share Posted November 1, 2017 @JohnSmith1 - Which OS (and 32 / 64 bits) and which version of csc.exe are you using? Thank you. Link to post Share on other sites More sharing options...
atariguy Posted November 1, 2017 ID:1178160 Share Posted November 1, 2017 8 minutes ago, tetonbob said: @atariguy- Do you have a Complete memory dump from the crash? Here it is: https://drive.google.com/open?id=0B4XVvlZQ7JM2MHhOdTRVc0plRm8 It's Windows 7 SP 1 64 bit. Link to post Share on other sites More sharing options...
Staff tetonbob Posted November 1, 2017 Staff ID:1178161 Share Posted November 1, 2017 2 minutes ago, atariguy said: Here it is: https://drive.google.com/open?id=0B4XVvlZQ7JM2MHhOdTRVc0plRm8 It's Windows 7 SP 1 64 bit. Thank you! Link to post Share on other sites More sharing options...
JohnSmith1 Posted November 1, 2017 ID:1178249 Share Posted November 1, 2017 5 hours ago, hmartinez said: @JohnSmith1 - Which OS (and 32 / 64 bits) and which version of csc.exe are you using? Thank you. We are using Windows 10 Enterprise (64-bit) version 1709 (16299.19). csc.exe is version 4.7.2556.0 Unfortunately, I could get permission to upload any dump file anywhere. I apologize for this. Link to post Share on other sites More sharing options...
Staff tetonbob Posted November 1, 2017 Staff ID:1178255 Share Posted November 1, 2017 @JohnSmith1 - Thanks, we understand about the crash dump. It looks like you've provided the version of a .Net install. In the Visual Studio Command Prompt you use, can you run this command and tell us the resulting output? csc /version Thank you. Link to post Share on other sites More sharing options...
JohnSmith1 Posted November 1, 2017 ID:1178261 Share Posted November 1, 2017 11 minutes ago, tetonbob said: @JohnSmith1 - Thanks, we understand about the crash dump. It looks like you've provided the version of a .Net install. In the Visual Studio Command Prompt you use, can you run this command and tell us the resulting output? csc /version Thank you. ********************************************************************** ** Visual Studio 2017 Developer Command Prompt v15.4.2 ** Copyright (c) 2017 Microsoft Corporation ********************************************************************** C:\Windows\System32>csc /version 2.4.0.62225 (f0cdbe92) Link to post Share on other sites More sharing options...
JohnSmith1 Posted November 1, 2017 ID:1178266 Share Posted November 1, 2017 6 hours ago, tetonbob said: @JohnSmith1 - a couple of additional questions. What type(s) of activities were being performed at the time of the BSOD on your team's machines? If you add an exclusion for the csc.exe or it's parent folder, does that alleviate the issue? At the time of the BSOD, our project was being navigated for the first time after re-building in Visual Studio and deleting the temporary ASP.NET files (at which point the IIS is starting to generate the temporary files needed). I cannot really test the exclusion right now, if I have the time, I'll try and do it tomorrow. NOTE: this only happens with our largest solution (100+ .csproj projects) and does not happen with several other smaller ones. Link to post Share on other sites More sharing options...
Staff tetonbob Posted November 1, 2017 Staff ID:1178271 Share Posted November 1, 2017 Great, thanks. This is likely interrupting your workflow, so we understand the impact of trying additional troubleshooting steps. Thank you. And if that ultimately is not possible for you, please note: We've stopped delivering the Component Update package 1.1.117 pending further investigation. To revert to the previous Component Update Package, uninstall MBARW and reinstall. It will pick up Component Update Package 1.1.100 Link to post Share on other sites More sharing options...
JohnSmith1 Posted November 1, 2017 ID:1178280 Share Posted November 1, 2017 9 minutes ago, tetonbob said: Great, thanks. This is likely interrupting your workflow, so we understand the impact of trying additional troubleshooting steps. Thank you. And if that ultimately is not possible for you, please note: We've stopped delivering the Component Update package 1.1.117 pending further investigation. To revert to the previous Component Update Package, uninstall MBARW and reinstall. It will pick up Component Update Package 1.1.100 Thanks! BTW, adding exclusions as shown in the attached file, does not solve the problem. Best Regards, J Link to post Share on other sites More sharing options...
Staff tetonbob Posted November 1, 2017 Staff ID:1178284 Share Posted November 1, 2017 Thanks for checking! Our Devs are looking into this. Link to post Share on other sites More sharing options...
Staff tetonbob Posted November 1, 2017 Staff ID:1178285 Share Posted November 1, 2017 @JohnSmith1- Would it be possible to send via Private Message, the .arw files from an affected machine? They would be located here: C:\ProgramData\Malwarebytes\MB3Service\ARW Link to post Share on other sites More sharing options...
JohnSmith1 Posted November 1, 2017 ID:1178291 Share Posted November 1, 2017 7 minutes ago, tetonbob said: @JohnSmith1- Would it be possible to send via Private Message, the .arw files from an affected machine? They would be located here: C:\ProgramData\Malwarebytes\MB3Service\ARW I've just left my office, I'll either do it tonight or tomorrow morning. Best regards, J Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now