cancel
Showing results for 
Search instead for 
Did you mean: 
Deanpj
Level 8
Report Inappropriate Content
Message 1 of 15

ENS 10.5.4 August Update -Random bugcheck/reboot

The August critical update was released to the estate yesterday and since then some servers are bugchecking and rebooting randomly. Previously they were on the July update and were stable.  Bug check is pointing at issue with mfencbdc.sys

We just use the core platform and threat modules.

Servers are both physical and virtual and mainly 2008 R2 so far.

Is this a known issue ? Any fix short of uninstalling ENS and going back to July build ?

Labels (2)
14 Replies
McAfee Employee BEllis
McAfee Employee
Report Inappropriate Content
Message 2 of 15

Re: ENS 10.5.4 August Update -Random bugcheck/reboot

Please make sure you get a full memory dump and am trace and open a case with support. I am not a ware of BSOD with the august update.

McAfee Support

Benjamin Ellis

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Deanpj
Level 8
Report Inappropriate Content
Message 3 of 15

Re: ENS 10.5.4 August Update -Random bugcheck/reboot

am trace ?

McAfee Employee BEllis
McAfee Employee
Report Inappropriate Content
Message 4 of 15

Re: ENS 10.5.4 August Update -Random bugcheck/reboot

https://kc.mcafee.com/corporate/index?page=content&id=KB86691

Sorry i mispoke.

 

Perform the steps in this section if the symptoms are any of the following:

  • System hang or deadlock
  • System BugCheck (blue screen)

Data collection steps for a system hang or deadlock:

  1. Configure the system to create a full memory.dmp. See KB56023.
  2. Configure the system to allow for a keyboard crash. See https://msdn.microsoft.com/en-us/library/windows/hardware/ff545499%28v=vs.85%29.aspx.
  3. Create the dump file when the issue occurs. Generally speaking, the longer you can wait before generating the dump file, the easier it is to identify the hang condition in the dump.

Data collection steps for a system BugCheck:

  1. Configure the system to create a full memory.dmp. See KB56023.
  2. Collect the full dump file when the system BugCheck (blue screen) occurs.

Data collection steps for FLTMC output:

  1. Open an administrative command prompt.
  2. Type fltmc.
  3. Collect the output from the fltmc command.

McAfee Support

Benjamin Ellis

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 5 of 15

Re: ENS 10.5.4 August Update -Random bugcheck/reboot

@Deanpj Do you also use CrowdStrike software on these servers? There is a known issue within CrowdStrike that negatively impacts our AMCore drivers during installation, causing a BSOD referencing mfencbdc.sys. This is documented in our known issues article KB82450 and can be found by searching "mfencbdc.sys" or "CrowdStrike".

There is a hotfix from CrowdStrike that resolves this issue, so please apply that and your issues will resolve (if you do use this 3rd party software). I am unaware of the exact hotfix number as it is on their side, however, you would easily be able to get information from them about it. 

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please give kudos or select "Accept as Solution" in my reply, as appropriate, so together we can help other members?

Deanpj
Level 8
Report Inappropriate Content
Message 6 of 15

Re: ENS 10.5.4 August Update -Random bugcheck/reboot

Thanks Jess

we do not use Crowdstrike on this particular account where this is happening. and the install/August patch update actually ran fine - it was only about 10 hours later the blue screens happened. As all live server systems have had to remove August ENS on affected machines and roll back to July version to keep the customer service going. Waiting to see if any more machines fail at moment. We have one full bugcheck file but checking with security teams if we are allowed to release it.

 

Tags (1)
McAfee Employee BEllis
McAfee Employee
Report Inappropriate Content
Message 7 of 15

Re: ENS 10.5.4 August Update -Random bugcheck/reboot

Do you have exploit prevention and DXL installed? if so please disable exploit prevention and see if it helps

McAfee Support

Benjamin Ellis

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Deanpj
Level 8
Report Inappropriate Content
Message 8 of 15

Re: ENS 10.5.4 August Update -Random bugcheck/reboot

Waiting to see if we get any more. So far 4 out of 22 systems blue screened following the August update. All 4 rolled back to July update and stable again. All Server 2008 r2, 3 physical and one virtual.

Yes we do use exploit prevention - will disable if get another BSOD. No we don't use DXL.

Being a live environment can't mess about too much as need to keep the servers going for the client.

Basically just wanted to flag that the August update caused us some issues. May June and July were all fine.

Tags (1)
McAfee Employee teaston1
McAfee Employee
Report Inappropriate Content
Message 9 of 15

Re: ENS 10.5.4 August Update -Random bugcheck/reboot

To answer your question, yes I have seen BSOD issues with the August Update. I'm actively working with engineering on one of these issues discovered last Friday. The issue appears to be happening on both 2008 and 2012 servers.

In order to know if it's absolutely the same issue or not, you'd need to collect the Kernel/Full Memory dump as indicated by Ben and a MER from the system, then open a ticket with Support so we can investigate further.

 

Offhand it does look like it may be related to mfencbdc.sys

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
FOLLOWUP_IP: 
mfencbdc
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

 

 

Re: ENS 10.5.4 August Update -Random bugcheck/reboot

Dear All,


I have exactly the same issue affecting both Windows 7 and Windows 10 but seems to be laptop essentially (Lenovo).

I've refrained updating Servers for the time being until a solution is provided by McAfee.

What a mess, I have to rollback to 10.5.2 on impacted machines.

I have exactly the same bugcheck error on all machines impacted, see below.

STOP Error: The bugcheck was: 0x0000003b (0x00000000c0000005, 0xfffff800017b70f3.

I've already raised the case to a local service provider and posted them full memory dump + Mer.

can we expect a fix anytime soon, as I'm affraid to have to rollback more than 100 machines 😞

Thanks.

WIS-GSD

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community