Jump to content

Recommended Posts

Hello,

 

today i noticed issue with anti ramsomware beta 797 and 807 - when i start Call of Duty Modern Warfare 3 - Multiplayer, i got always bluescreeen 7E, unless ARW is stopped or uninstalled.

i was using both many months without any issue.

could you please advise on this? i have now uninstalled it and the game works well.

Thanks

 

image.thumb.png.6ed7e9fab6e7a98b20d070f96f809bef.png

 

103117-35895-01.dmp

Share this post


Link to post
Share on other sites

Greetings @denial

The minidump doesn't directly implicate the ARW protection driver farflt.sys but as the issue is only present on your system with MBARW active or installed, we'd like to investigate further.

 

Our developers always request a complete memory dump rather than a minidump

 

We just yesterday released a new Component Update package to the 0.9.18.807 platform, version 1.1.117

It has several stability improvements. If you can consistently reproduce this issue, would you mind reinstalling MBARW, and let it update to the latest Component Update (CU) before attempting to run your game?

 

Configure Windows to create crash dumps on failures and not to restart automatically on system failure:

• Press the Windows key + R
• In the Run box type or copy/paste the following and press Enter or click on OK:

control sysdm.cpl

• Once the System Properties dialog opens, click on the Advanced tab.
• Click on the 'Settings...' button located under 'Startup and Recovery'.
• Under System failure make certain that 'Automatically restart' is unchecked. If it is checked, uncheck it.
• Click the drop-down menu under Write debugging information and select 'Complete memory dump' if that option is not already selected.
• Make certain that you know the path where the dumps are saved, which by default will be %SystemRoot%\MEMORY.DMP. (%SystemRoot% is typically C:\Windows)
• Make certain that 'Overwrite any existing file' is checked. If it is unchecked, check it.
• Click on OK, then on the next screen click OK to close it.

You will need to restart your system before these settings are fully enabled.

Should a system crash (BSOD) occur, please write down the significant information displayed, such as the file name indicated in the BSOD as well as any alpha-numeric error codes, so that you may provide them to the developers.
In addition, should such a crash (BSOD) occur, please provide the memory dump created by Windows. 

It will be located at C:\MEMORY.DMP and will need to be copied out of that directory before additional handling can take place.


Please zip and upload it to Wetransfer or a similar file uploading service, and provide the download link for that file.
https://www.wetransfer.com/

 

In addition, please provide the log file created by our arwlogs tool.

 

Next, we need to gather additional information to assist with our analysis. arwlogs.exe is an information gathering tool that neither installs nor does it make system/registry hive changes.

  1. Download the trusted, Malwarebytes authored arwlogs.exe utility/tool and save only to a system Administrator's desktop of the system in question.
  2. Single right-click the j1Bynr2.png&key=c55e643d4ec26aa771880d2d  arwlogs.exe icon and select RunAsAdmin.jpg  Run as administrator from the Windows context menu.
  3. If a Windows User Account Control (UAC) alert/prompt for arwlogs.exe appears, select the "Yes" button to continue.
  4. If a Windows SmartScreen warning alert/prompt for arwlogs.exe appears, select "More info" then select the "Run anyway" button to continue.
  5. A Command window will appear and its contents may be mostly ignored.
  6. When "Press any key to continue . . . " appears at the bottom of the Command window, type any Enter key to close the window.
  7. A zipped archive HSPwQfy.png&key=8bea481e1c29518a4e1e2ca3 (yyyy-mm-dd-{COMPUTERNAME}.zip) should have been generated to the system Administrator's desktop.
  8. Attach the above-zipped archive to your next reply in this topic.
  9. Delete j1Bynr2.png&key=c55e643d4ec26aa771880d2d  arwlogs.exe from the Administrator desktop.
Edited by tetonbob

Share this post


Link to post
Share on other sites

Hello,

 

so i was able to replicate it using ARB 0.9.18.807-1.1.117

the arwlogs zip is large to be attached to this message, so it is here https://mega.nz/#!GdERXKYK!spNZeGl0IM_ne5G83gTdRRxTybDH8Jop-5ihV9U0U9w

and the full memory dump is here https://mega.nz/#!fYFlmIDB!_52fkXh1Ul8H2MZlSCzo8nOQsxInO_vXuw_jJFqsufw

i have installed also anti exploit 1.10.1.41 but i disabled it before the crash.

 

Thanks

 

--

 

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 7E, {ffffffffc0000005, fffff880014c70b2, fffff8800964f858, fffff8800964f0c0}

Probably caused by : fltmgr.sys ( fltmgr!FltpCompleteCompletionNode+32 )

Followup:     MachineOwner
---------

2: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff880014c70b2, The address that the exception occurred at
Arg3: fffff8800964f858, Exception Record Address
Arg4: fffff8800964f0c0, Context Record Address

Debugging Details:
------------------


DUMP_CLASS: 1

DUMP_QUALIFIER: 402

BUILD_VERSION_STRING:  7601.23915.amd64fre.win7sp1_ldr.170913-0600

DUMP_TYPE:  0

BUGCHECK_P1: ffffffffc0000005

BUGCHECK_P2: fffff880014c70b2

BUGCHECK_P3: fffff8800964f858

BUGCHECK_P4: fffff8800964f0c0

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP: 
fltmgr!FltpCompleteCompletionNode+32
fffff880`014c70b2 488b4810        mov     rcx,qword ptr [rax+10h]

EXCEPTION_RECORD:  fffff8800964f858 -- (.exr 0xfffff8800964f858)
ExceptionAddress: fffff880014c70b2 (fltmgr!FltpCompleteCompletionNode+0x0000000000000032)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 0000000000000010
Attempt to read from address 0000000000000010

CONTEXT:  fffff8800964f0c0 -- (.cxr 0xfffff8800964f0c0)
rax=0000000000000000 rbx=fffffa8006703430 rcx=fffffa8006703430
rdx=0000000000000001 rsi=fffffa800679fc10 rdi=fffffa80067035e8
rip=fffff880014c70b2 rsp=fffff8800964fa90 rbp=fffffa80067034e0
 r8=fffffa80067034e0  r9=0000000000000000 r10=0000000000000000
r11=fffffa80067035c8 r12=fffffa800b1db100 r13=0000000000000001
r14=fffff8800964fba8 r15=0000000000000001
iopl=0         nv up ei pl zr na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
fltmgr!FltpCompleteCompletionNode+0x32:
fffff880`014c70b2 488b4810        mov     rcx,qword ptr [rax+10h] ds:002b:00000000`00000010=????????????????
Resetting default scope

PROCESS_NAME:  System

CURRENT_IRQL:  0

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_PARAMETER2:  0000000000000010

READ_ADDRESS:  0000000000000010 

FOLLOWUP_IP: 
fltmgr!FltpCompleteCompletionNode+32
fffff880`014c70b2 488b4810        mov     rcx,qword ptr [rax+10h]

BUGCHECK_STR:  0x7E

DEFAULT_BUCKET_ID:  NULL_CLASS_PTR_DEREFERENCE

ANALYSIS_SESSION_HOST:  PAD

ANALYSIS_SESSION_TIME:  10-31-2017 22:57:13.0913

ANALYSIS_VERSION: 10.0.10586.567 amd64fre

LAST_CONTROL_TRANSFER:  from fffff880014cb8ab to fffff880014c70b2

STACK_TEXT:  
fffff880`0964fa90 fffff880`014cb8ab : fffffa80`06703430 fffffa80`067034e0 fffffa80`0679fc10 fffffa80`06703500 : fltmgr!FltpCompleteCompletionNode+0x32
fffff880`0964fac0 fffff880`014f473d : fffffa80`067035e8 fffffa80`0bb48c10 fffff880`0d3b7640 fffffa80`06703430 : fltmgr!FltCompletePendedPostOperation+0xbb
fffff880`0964fb10 fffff800`02ec6085 : fffff880`014f4680 fffff800`030642a0 fffffa80`0b04da00 fffffa80`06703430 : fltmgr!FltpSafeCompletionWorker+0xbd
fffff880`0964fb70 fffff800`03156622 : 00000000`019ca1cc fffffa80`0b04da00 00000000`00000080 fffffa80`06133970 : nt!ExpWorkerThread+0x111
fffff880`0964fc00 fffff800`02eadda6 : fffff880`009e5180 fffffa80`0b04da00 fffff880`009f00c0 fffffa80`060f7d50 : nt!PspSystemThreadStartup+0x5a
fffff880`0964fc40 00000000`00000000 : fffff880`09650000 fffff880`0964a000 fffff880`0964f8a0 00000000`00000000 : nt!KiStartSystemThread+0x16


THREAD_SHA1_HASH_MOD_FUNC:  f95e70e95128b606f690588d868d0f822c4ff374

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  2360c3d87223f87de6772785076c6656096377ec

THREAD_SHA1_HASH_MOD:  e06a8e1d654fec570c2ad25485278673f5e4f7b8

FAULT_INSTR_CODE:  10488b48

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  fltmgr!FltpCompleteCompletionNode+32

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: fltmgr

IMAGE_NAME:  fltmgr.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4ce7929c

STACK_COMMAND:  .cxr 0xfffff8800964f0c0 ; kb

FAILURE_BUCKET_ID:  X64_0x7E_fltmgr!FltpCompleteCompletionNode+32

BUCKET_ID:  X64_0x7E_fltmgr!FltpCompleteCompletionNode+32

PRIMARY_PROBLEM_CLASS:  X64_0x7E_fltmgr!FltpCompleteCompletionNode+32

TARGET_TIME:  2017-10-31T21:55:50.000Z

OSBUILD:  7601

OSSERVICEPACK:  1000

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  272

PRODUCT_TYPE:  1

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 7

OSEDITION:  Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS

OS_LOCALE:  

USER_LCID:  0

OSBUILD_TIMESTAMP:  2017-09-13 16:55:13

BUILDDATESTAMP_STR:  170913-0600

BUILDLAB_STR:  win7sp1_ldr

BUILDOSVER_STR:  6.1.7601.23915.amd64fre.win7sp1_ldr.170913-0600

ANALYSIS_SESSION_ELAPSED_TIME: 4ef

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:x64_0x7e_fltmgr!fltpcompletecompletionnode+32

FAILURE_ID_HASH:  {24880b1e-7557-860c-a16f-2fd44f3a308e}

Followup:     MachineOwner
---------

2: kd> lmvm fltmgr
Browse full module list
start             end                 module name
fffff880`014bb000 fffff880`01507000   fltmgr     (pdb symbols)          C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\sym\fltMgr.pdb\A008BBBF87CC421FA0E568076A16F4BA2\fltMgr.pdb
    Loaded symbol image file: fltmgr.sys
    Image path: \SystemRoot\system32\drivers\fltmgr.sys
    Image name: fltmgr.sys
    Browse all global symbols  functions  data
    Timestamp:        Sat Nov 20 10:19:24 2010 (4CE7929C)
    CheckSum:         0005452D
    ImageSize:        0004C000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

 

Share this post


Link to post
Share on other sites

Hi @denial- thanks for providing this information. I'd like to ask a couple of followup questions if I may.

Does this only happen when playing Call of Duty?

Are there any unusual installation characteristics for CoD or your OS in general?

Would you mind running one more diagnostic tool for us?

Create and obtain Farbar Recovery Scan Tool (FRST) logs

  1. Download FRST and save it to your desktop
    Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit
  2. Double-click to run FRST and when the tool opens click "Yes" to the disclaimer
  3. Press the "Scan" button
  4. This will product two files in the same location (directory) as FRST: FRST.txt and Addition.txt

Please attach those files in reply. I'll provide all this information to our developers.

Share this post


Link to post
Share on other sites

Hello,

i'm not aware of anything unusual possibly related ...

Yes, so far it happens only with CoD:MW3. It was working well ~2 days ago when i played it last time.

Thanks

 

FRST.zip

Share this post


Link to post
Share on other sites

Hello,

 

I would like to +1 this issue with the new update.

There are ~20 developers in my office and we all use MBARW for sometime now.

Yesterday, everyone in my office started getting BSODs at what seemed to be random times (by analyzing the logs in "C:\ProgramData\Malwarebytes\MB3Service\logs", we later realized that it was because we've received the update at different times).

We debugged the issue to be a conflict between the Microsoft C# compiler (csc.exe) and the MB3service.

NOTE: all of us got a different BSOD messages and since our PCs crashed multiple times before we found the problem, I can confirm that the BSOD message was always random, even when we did multiple tests on the same PC.

 

Best regards,

J

Share this post


Link to post
Share on other sites

@JohnSmith1- can you confirm what version you are using? What is shown in the title bar of Malwarebytes Anti-Ransomware?


Can you provide a Complete memory dump from any or several of the systems affected?

Edited by tetonbob

Share this post


Link to post
Share on other sites

@JohnSmith1 - a couple of additional questions.

What type(s) of activities were being performed at the time of the BSOD on your team's machines?

If you add an exclusion for the csc.exe or it's parent folder, does that alleviate the issue?

Share this post


Link to post
Share on other sites

I am also having this issue. Starting this morning (when restarting my computer for the first time in weeks) I consistently get a BSOD when trying to start Sybase SQL Anywhere 11. It gives stop code 0x0000007E and points to fltmgr.sys. After having this happen several times, I remembered the last time I was getting BSODs it was the anti-ransomware that was at fault. So I turned it off and that fixed the problem, meaning it's once again the culprit.

It is version 0.9.18.797-1.1.117

Edited by atariguy
added mbarw version

Share this post


Link to post
Share on other sites
5 hours ago, hmartinez said:

@JohnSmith1 - Which OS (and 32 / 64 bits) and which version of csc.exe are you using? 

Thank you.

We are using Windows 10 Enterprise (64-bit) version 1709 (16299.19).

csc.exe is version 4.7.2556.0

Unfortunately, I could get permission to upload any dump file anywhere. I apologize for this.

Share this post


Link to post
Share on other sites

@JohnSmith1 - Thanks, we understand about the crash dump.

It looks like you've provided the version of a .Net install. In the Visual Studio Command Prompt you use, can you run this command and tell us the resulting output?

 

csc /version

 

Thank you.

Share this post


Link to post
Share on other sites
11 minutes ago, tetonbob said:

@JohnSmith1 - Thanks, we understand about the crash dump.

It looks like you've provided the version of a .Net install. In the Visual Studio Command Prompt you use, can you run this command and tell us the resulting output?

 

csc /version

 

Thank you.

**********************************************************************
** Visual Studio 2017 Developer Command Prompt v15.4.2
** Copyright (c) 2017 Microsoft Corporation
**********************************************************************

C:\Windows\System32>csc /version
2.4.0.62225 (f0cdbe92)

Share this post


Link to post
Share on other sites
6 hours ago, tetonbob said:

@JohnSmith1 - a couple of additional questions.

What type(s) of activities were being performed at the time of the BSOD on your team's machines?

If you add an exclusion for the csc.exe or it's parent folder, does that alleviate the issue?

At the time of the BSOD, our project was being navigated for the first time after re-building in Visual Studio and deleting the temporary ASP.NET files (at which point the IIS is starting to generate the temporary files needed).

I cannot really test the exclusion right now, if I have the time, I'll try and do it tomorrow.

NOTE: this only happens with our largest solution (100+ .csproj projects) and does not happen with several other smaller ones.

Share this post


Link to post
Share on other sites

Great, thanks.

This is likely interrupting your workflow, so we understand the impact of trying additional troubleshooting steps.  Thank you.

And if that ultimately is not possible for you, please note:

We've stopped delivering the Component Update package 1.1.117 pending further investigation. To revert to the previous Component Update Package, uninstall MBARW and reinstall. It will pick up Component Update Package 1.1.100

 

 

Share this post


Link to post
Share on other sites
9 minutes ago, tetonbob said:

Great, thanks.

This is likely interrupting your workflow, so we understand the impact of trying additional troubleshooting steps.  Thank you.

And if that ultimately is not possible for you, please note:

We've stopped delivering the Component Update package 1.1.117 pending further investigation. To revert to the previous Component Update Package, uninstall MBARW and reinstall. It will pick up Component Update Package 1.1.100

 

 

Thanks!

BTW, adding exclusions as shown in the attached file, does not solve the problem.

 

Best Regards,

J

exclusions.png

Share this post


Link to post
Share on other sites
7 minutes ago, tetonbob said:

@JohnSmith1-

Would it be possible to send via Private Message, the .arw files from an affected machine?

They would be located here:

C:\ProgramData\Malwarebytes\MB3Service\ARW

I've just left my office, I'll either do it tonight or tomorrow morning.

Best regards,

J

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.