I've encountered some BSOD issues on 4 different computers using 2 different versions of Forticlient.
At first I thought it was driver related, after opening the BSOD memory dump again and taking a fresh look I found out
Panda Dome is conflicting with Forticlient. When Forticlient would load (appear in system tray) it would bluescreen because of NDIS.sys.
Took me a while to figure out since after installing new network drivers the BSOD didn't come when Forticlient started, but at some random time later on.
Maybe there were actually 2 problems, both the drivers and Panda AV.
I've uninstalled Panda Dome and so far no BSOD. I will update if I get another one, but I doubt it will happen again.
BSOD Dump:
Microsoft (R) Windows Debugger Version 10.0.17074.1002 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 16299 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 16299.15.amd64fre.rs3_release.170928-1534
Machine Name:
Kernel base = 0xfffff800`ff489000 PsLoadedModuleList = 0xfffff800`ff7ef070
Debug session time: Tue Apr 17 09:36:31.013 2018 (UTC - 4:00)
System Uptime: 0 days 16:21:54.383
Loading Kernel Symbols
...............................................................
................................................................
................................................................
......................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 0000003b`473e9018). Type ".hh dbgerr001" for details
Loading unloaded module list
........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck D1, {80, 2, 0, fffff80a32b94a65}
*** ERROR: Module load completed but symbols could not be loaded for NNSNAHSL.sys
*** ERROR: Module load completed but symbols could not be loaded for FortiFilter.sys
Page 62e1 not present in the dump file. Type ".hh dbgerr004" for details
Page 62e1 not present in the dump file. Type ".hh dbgerr004" for details
*** ERROR: Module load completed but symbols could not be loaded for e1d65x64.sys
Probably caused by : NNSNAHSL.sys ( NNSNAHSL+2497 )
Followup: MachineOwner
---------
nt!KeBugCheckEx:
fffff800`ff5fe930 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:fffff801`023ad8c0=000000000000000a
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000000000000080, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff80a32b94a65, address which referenced memory
Debugging Details:
------------------
KEY_VALUES_STRING: 1
TIMELINE_ANALYSIS: 1
DUMP_CLASS: 1
DUMP_QUALIFIER: 401
BUILD_VERSION_STRING: 16299.15.amd64fre.rs3_release.170928-1534
SYSTEM_MANUFACTURER: Dell Inc.
SYSTEM_PRODUCT_NAME: Latitude 5580
SYSTEM_SKU: 07A8
BIOS_VENDOR: Dell Inc.
BIOS_VERSION: 1.8.2
BIOS_DATE: 01/30/2018
BASEBOARD_MANUFACTURER: Dell Inc.
BASEBOARD_PRODUCT: 0CMYFT
BASEBOARD_VERSION: A00
DUMP_TYPE: 1
BUGCHECK_P1: 80
BUGCHECK_P2: 2
BUGCHECK_P3: 0
BUGCHECK_P4: fffff80a32b94a65
READ_ADDRESS: 0000000000000080
CURRENT_IRQL: 2
FAULTING_IP:
ndis!ndisMTopReceiveNetBufferLists+15
fffff80a`32b94a65 f7828000000000800000 test dword ptr [rdx+80h],8000h
CPU_COUNT: 4
CPU_MHZ: a98
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 8e
CPU_STEPPING: 9
CPU_MICROCODE: 6,8e,9,0 (F,M,S,R) SIG: 84'00000000 (cache) 84'00000000 (init)
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXPNP: 1 (!blackboxpnp)
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: AV
PROCESS_NAME: CompatTelRunner.exe
ANALYSIS_SESSION_HOST: DESKTOP-CXC-TI
ANALYSIS_SESSION_TIME: 04-17-2018 16:05:52.0973
ANALYSIS_VERSION: 10.0.17074.1002 amd64fre
DPC_STACK_BASE: FFFFF801023AEFB0
TRAP_FRAME: fffff801023ada00 -- (.trap 0xfffff801023ada00)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff801023adc88 rbx=0000000000000000 rcx=ffffca8e1e3681a0
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80a32b94a65 rsp=fffff801023adb90 rbp=fffff801023add11
r8=0000000000000000 r9=00000000ffffffe2 r10=0000000000000001
r11=ffffca8e1ebee701 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
ndis!ndisMTopReceiveNetBufferLists+0x15:
fffff80a`32b94a65 f7828000000000800000 test dword ptr [rdx+80h],8000h ds:00000000`00000080=????????
Resetting default scope
EXCEPTION_RECORD: ffffca8e236d1080 -- (.exr 0xffffca8e236d1080)
ExceptionAddress: ffffca8e236d1088
ExceptionCode: 00200006
ExceptionFlags: 00000000
NumberParameters: 0
LAST_CONTROL_TRANSFER: from fffff800ff610ae9 to fffff800ff5fe930
STACK_TEXT:
fffff801`023ad8b8 fffff800`ff610ae9 : 00000000`0000000a 00000000`00000080 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffff801`023ad8c0 fffff800`ff60d1fe : ffffca8e`1f6d5a32 fffff80a`362f620f 00000000`00000000 fffff800`ff7362c8 : nt!KiBugCheckDispatch+0x69
fffff801`023ada00 fffff80a`32b94a65 : ffffca8e`1459b0f0 00000000`00000000 00000000`00000000 fffff801`00000000 : nt!KiPageFault+0x47e
fffff801`023adb90 fffff80a`32bd9bb7 : ffffca8e`1e3681a0 fffff801`023adee8 ffffca8e`14cef030 00000000`00000000 : ndis!ndisMTopReceiveNetBufferLists+0x15
fffff801`023adc90 fffff80a`32bb327c : 00000000`00000002 ffffca8e`1ebe6660 00000000`00000000 ffffca8e`23355e70 : ndis!ndisInvokeNextReceiveHandler+0x4b
fffff801`023add60 fffff80a`32b97c1f : ffffca8e`1ebe6660 00000000`00000000 00000000`00000000 ffffca8e`ffffffe2 : ndis!ndisFilterIndicateReceiveNetBufferLists+0x1b63c
fffff801`023ade00 fffff80a`36022497 : ffffca8e`1ebe3010 00000000`00000000 ffffca8e`1ebe3078 ffffca8e`138c2001 : ndis!NdisFIndicateReceiveNetBufferLists+0x3f
fffff801`023ade40 fffff80a`32b95583 : 00000000`01000001 00000000`00000000 00000000`00000000 fffff800`ffffffe2 : NNSNAHSL+0x2497
fffff801`023aded0 fffff80a`32b92dbe : 00000000`00000fff 00000000`00001001 00000000`00000000 fffff800`ff823988 : ndis!ndisCallReceiveHandler+0x43
fffff801`023adf20 fffff800`ff5197fb : fffff801`023ae081 fffff801`023ae068 ffffca8e`1ebe87c0 ffffca8e`1e9cf2c0 : ndis!ndisDataPathExpandStackCallback+0x3e
fffff801`023adf70 fffff800`ff51975d : ffffca8e`1e9cf2c0 00000000`00000002 ffffca8e`1ebe6660 ffffca8e`1e9cf2c0 : nt!KeExpandKernelStackAndCalloutInternal+0x8b
fffff801`023adfc0 fffff80a`32bd9e12 : ffffca8e`20cde460 fffff800`00000cfc 00000000`00000000 00000000`00001000 : nt!KeExpandKernelStackAndCalloutEx+0x1d
fffff801`023ae000 fffff80a`32bb327c : 00000000`00000002 ffffca8e`1ebe8c60 00000000`00000000 fffff80a`32bcca3e : ndis!ndisInvokeNextReceiveHandler+0x2a6
fffff801`023ae0d0 fffff80a`32b97c1f : ffffca8e`1ebe8c60 ffffca8e`1e9cf2c0 ffffca8e`00000000 ffffca8e`00000001 : ndis!ndisFilterIndicateReceiveNetBufferLists+0x1b63c
fffff801`023ae170 fffff80a`36041d11 : 00000000`00000000 ffffca8e`1ebe6010 ffffca8e`1ebe6a40 00000000`000005ea : ndis!NdisFIndicateReceiveNetBufferLists+0x3f
fffff801`023ae1b0 fffff80a`32b95583 : fffff80a`36041b9c fffff801`023ae3c1 00000000`00000000 fffff80a`32b92d80 : FortiFilter+0x1d11
fffff801`023ae210 fffff80a`32b92dbe : ffffca8e`20ceba50 fffff80a`33041751 ffffca8e`20ceba80 00000000`00000000 : ndis!ndisCallReceiveHandler+0x43
fffff801`023ae260 fffff800`ff5197fb : fffff801`023ae3c1 fffff801`023ae3a8 ffffca8e`1ea21480 ffffca8e`1e9cf2c0 : ndis!ndisDataPathExpandStackCallback+0x3e
fffff801`023ae2b0 fffff800`ff51975d : ffffca8e`1e9cf2c0 00000000`00000002 ffffca8e`1ebe8c60 ffffca8e`1e9cf2c0 : nt!KeExpandKernelStackAndCalloutInternal+0x8b
fffff801`023ae300 fffff80a`32bd9e12 : ffffca8e`216c0a40 00000000`00000000 fffff800`fe711a90 00000000`00000000 : nt!KeExpandKernelStackAndCalloutEx+0x1d
fffff801`023ae340 fffff80a`32bb327c : 00000000`00000002 ffffca8e`1dd2c6f0 00000000`00000000 fffff801`023ae489 : ndis!ndisInvokeNextReceiveHandler+0x2a6
fffff801`023ae410 fffff80a`32b97c1f : ffffca8e`1dd2c6f0 00000000`0000001f ffffca8e`00000000 00000000`0000001f : ndis!ndisFilterIndicateReceiveNetBufferLists+0x1b63c
fffff801`023ae4b0 fffff80a`330c1177 : 00000000`00000002 fffff801`023ae748 00000000`00000002 00000000`00000000 : ndis!NdisFIndicateReceiveNetBufferLists+0x3f
fffff801`023ae4f0 fffff80a`32b95583 : 00000000`00000000 ffffca8e`1ebe3108 00000000`00000001 fffff80a`3602db61 : wfplwfs!LwfLowerRecvNetBufferLists+0x167
fffff801`023ae650 fffff80a`32b92dbe : ffffca8e`1ebe3010 00000000`00000000 ffffca8e`1ebe3078 00000000`00000000 : ndis!ndisCallReceiveHandler+0x43
fffff801`023ae6a0 fffff800`ff5197fb : fffff801`023ae880 fffff801`023ae840 fffff80a`330c1010 00000000`00398898 : ndis!ndisDataPathExpandStackCallback+0x3e
fffff801`023ae6f0 fffff800`ff51975d : 00000000`00398898 ffffca8e`1e3681a0 ffffca8e`1dd2c6f0 00000000`00000803 : nt!KeExpandKernelStackAndCalloutInternal+0x8b
fffff801`023ae740 fffff80a`32bb1867 : 00000000`00000000 fffff800`ff60581d ffffca8e`148c6bab fffff80a`31911c46 : nt!KeExpandKernelStackAndCalloutEx+0x1d
fffff801`023ae780 fffff80a`389871bf : ffffca8e`1e9cf2c0 00000000`0000000a ffffca8e`1e880080 ffffca8e`1e937290 : ndis!NdisMIndicateReceiveNetBufferLists+0x1d487
fffff801`023ae8f0 fffff80a`389882e3 : ffffca8e`1e937300 ffffca8e`1e87f000 ffffca8e`1e880080 00000000`00000000 : e1d65x64+0x171bf
fffff801`023ae950 fffff80a`3898dd74 : ffffca8e`1dca5820 ffff0001`00000000 ffffffff`ffffff01 fffff801`00000000 : e1d65x64+0x182e3
fffff801`023ae9d0 fffff80a`3898fc4e : ffff0001`00000000 ffff8001`00000000 fffff801`023aead0 00000000`00000000 : e1d65x64+0x1dd74
fffff801`023aea50 fffff80a`3898f1b0 : ffffca8e`1dc73820 ffffca8e`143e7601 ffffca8e`00000000 00000000`00000000 : e1d65x64+0x1fc4e
fffff801`023aeb10 fffff80a`32b8a4cd : ffffca8e`14e52600 ffffba60`f8bcff83 00000000`00000001 fffff801`023aee00 : e1d65x64+0x1f1b0
fffff801`023aeb50 fffff800`ff54ef62 : 00000000`00000000 ffffca8e`1391a000 ffffca8e`14572118 fffff800`00000002 : ndis!ndisInterruptDpc+0x17d
fffff801`023aec70 fffff800`ff54e65f : 00000000`00000016 00000000`00000000 00000000`00286974 fffff800`fdcd0180 : nt!KiExecuteAllDpcs+0x1d2
fffff801`023aedb0 fffff800`ff605e45 : 00000000`00000000 fffff800`fdcd0180 ffffb68a`6fae78f0 ffff8001`95a24c80 : nt!KiRetireDpcList+0xdf
fffff801`023aefb0 fffff800`ff605c50 : 00000000`00000001 fffff800`ff40d356 00000000`00000001 fffff800`ff68f540 : nt!KxRetireDpcList+0x5
ffffb68a`6fae7830 fffff800`ff6034f5 : 00000000`00000140 fffff800`ff600421 ffffca8e`236d1080 fffff800`ff605ef7 : nt!KiDispatchInterruptContinue
ffffb68a`6fae7860 fffff800`ff600421 : ffffca8e`236d1080 fffff800`ff605ef7 fffff800`fdcd0180 000004ed`bd9bbfff : nt!KiDpcInterruptBypass+0x25
ffffb68a`6fae7870 fffff800`ff610389 : ffffca8e`236d1080 00000000`00000000 ffffb68a`6fae79d8 ffffca8e`1f794c40 : nt!KiInterruptDispatch+0xb1
ffffb68a`6fae7a00 00007ffe`b0cd0344 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceUser+0xe1
0000003b`475fa498 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffe`b0cd0344
THREAD_SHA1_HASH_MOD_FUNC: d543d8e5c32f48533db9b11ce603e1c9849eefa5
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: e255a133bee8b4407d9da6ada5242d602a169523
THREAD_SHA1_HASH_MOD: 0f2f269d9b85d77e6acaa76f7bd51bd93e3cb009
FOLLOWUP_IP:
NNSNAHSL+2497
fffff80a`36022497 488b0d62df0000 mov rcx,qword ptr [NNSNAHSL+0x10400 (fffff80a`36030400)]
FAULT_INSTR_CODE: 620d8b48
SYMBOL_STACK_INDEX: 7
SYMBOL_NAME: NNSNAHSL+2497
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: NNSNAHSL
IMAGE_NAME: NNSNAHSL.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 59ae8b52
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 2497
FAILURE_BUCKET_ID: AV_NNSNAHSL!unknown_function
BUCKET_ID: AV_NNSNAHSL!unknown_function
PRIMARY_PROBLEM_CLASS: AV_NNSNAHSL!unknown_function
TARGET_TIME: 2018-04-17T13:36:31.000Z
OSBUILD: 16299
OSSERVICEPACK: 0
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2018-03-29 23:22:49
BUILDDATESTAMP_STR: 170928-1534
BUILDLAB_STR: rs3_release
BUILDOSVER_STR: 10.0.16299.15.amd64fre.rs3_release.170928-1534
ANALYSIS_SESSION_ELAPSED_TIME: 115c
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:av_nnsnahsl!unknown_function
FAILURE_ID_HASH: {9bcdfa14-2360-8937-7284-3881cac9288a}
Followup: MachineOwner
---------
0: kd> lmvm NNSNAHSL
Browse full module list
start end module name
fffff80a`36020000 fffff80a`36037000 NNSNAHSL (no symbols)
Loaded symbol image file: NNSNAHSL.sys
Image path: \SystemRoot\system32\DRIVERS\NNSNAHSL.sys
Image name: NNSNAHSL.sys
Browse all global symbols functions data
Timestamp: Tue Sep 5 04:32:34 2017 (59AE8B52)
CheckSum: 0001E603
ImageSize: 00017000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi there,
As forticlient has a build-in AV engine so now you have both forticlient and Panda Dome run in a low level on the same computer. Thus, there could be conflicting on drivers or system calls. So in general, please avoid running more than one anti-virus apps at the same time on the same machine.
Thanks
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.