Community Help Hub

Deanpj · ‎08-16-2018

The August critical update was released to the estate yesterday and since then some servers are bugchecking and rebooting randomly. Previously they were on the July update and were stable. Bug check is pointing at issue with mfencbdc.sys

We just use the core platform and threat modules.

Servers are both physical and virtual and mainly 2008 R2 so far.

Is this a known issue ? Any fix short of uninstalling ENS and going back to July build ?

BenEllis · ‎08-16-2018

Please make sure you get a full memory dump and am trace and open a case with support. I am not a ware of BSOD with the august update.

BenJamin Ellis

Deanpj · ‎08-16-2018

am trace ?

BenEllis · ‎08-16-2018

https://kc.mcafee.com/corporate/index?page=content&id=KB86691

Sorry i mispoke.

Perform the steps in this section if the symptoms are any of the following:

System hang or deadlock
System BugCheck (blue screen)

Data collection steps for a system hang or deadlock:

Configure the system to create a full memory.dmp. See KB56023.
Configure the system to allow for a keyboard crash. See https://msdn.microsoft.com/en-us/library/windows/hardware/ff545499%28v=vs.85%29.aspx.
Create the dump file when the issue occurs. Generally speaking, the longer you can wait before generating the dump file, the easier it is to identify the hang condition in the dump.

Data collection steps for a system BugCheck:

Configure the system to create a full memory.dmp. See KB56023.
Collect the full dump file when the system BugCheck (blue screen) occurs.

Data collection steps for FLTMC output:

Open an administrative command prompt.
Type fltmc.
Collect the output from the fltmc command.

BenJamin Ellis

jess_arman · ‎08-16-2018

@Deanpj Do you also use CrowdStrike software on these servers? There is a known issue within CrowdStrike that negatively impacts our AMCore drivers during installation, causing a BSOD referencing mfencbdc.sys. This is documented in our known issues article KB82450 and can be found by searching "mfencbdc.sys" or "CrowdStrike".

There is a hotfix from CrowdStrike that resolves this issue, so please apply that and your issues will resolve (if you do use this 3rd party software). I am unaware of the exact hotfix number as it is on their side, however, you would easily be able to get information from them about it.

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please give kudos or select "Accept as Solution" in my reply, as appropriate, so together we can help other members?

Deanpj · ‎08-16-2018

Thanks Jess

we do not use Crowdstrike on this particular account where this is happening. and the install/August patch update actually ran fine - it was only about 10 hours later the blue screens happened. As all live server systems have had to remove August ENS on affected machines and roll back to July version to keep the customer service going. Waiting to see if any more machines fail at moment. We have one full bugcheck file but checking with security teams if we are allowed to release it.

BenEllis · ‎08-16-2018

Do you have exploit prevention and DXL installed? if so please disable exploit prevention and see if it helps

BenJamin Ellis

Deanpj · ‎08-20-2018

Waiting to see if we get any more. So far 4 out of 22 systems blue screened following the August update. All 4 rolled back to July update and stable again. All Server 2008 r2, 3 physical and one virtual.

Yes we do use exploit prevention - will disable if get another BSOD. No we don't use DXL.

Being a live environment can't mess about too much as need to keep the servers going for the client.

Basically just wanted to flag that the August update caused us some issues. May June and July were all fine.

teaston1 · ‎08-20-2018

To answer your question, yes I have seen BSOD issues with the August Update. I'm actively working with engineering on one of these issues discovered last Friday. The issue appears to be happening on both 2008 and 2012 servers.

In order to know if it's absolutely the same issue or not, you'd need to collect the Kernel/Full Memory dump as indicated by Ben and a MER from the system, then open a ticket with Support so we can investigate further.

Offhand it does look like it may be related to mfencbdc.sys

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.

FOLLOWUP_IP: 
mfencbdc

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

Former Member · ‎08-23-2018

Dear All,

I have exactly the same issue affecting both Windows 7 and Windows 10 but seems to be laptop essentially (Lenovo).

I've refrained updating Servers for the time being until a solution is provided by McAfee.

What a mess, I have to rollback to 10.5.2 on impacted machines.

I have exactly the same bugcheck error on all machines impacted, see below.

STOP Error: The bugcheck was: 0x0000003b (0x00000000c0000005, 0xfffff800017b70f3.

I've already raised the case to a local service provider and posted them full memory dump + Mer.

can we expect a fix anytime soon, as I'm affraid to have to rollback more than 100 machines 😞

Thanks.

WIS-GSD

ENS 10.5.4 August Update -Random bugcheck/reboot

August update

ENS 10.5.4

Re: ENS 10.5.4 August Update -Random bugcheck/reboot

Re: ENS 10.5.4 August Update -Random bugcheck/reboot

Re: ENS 10.5.4 August Update -Random bugcheck/reboot

Re: ENS 10.5.4 August Update -Random bugcheck/reboot

Re: ENS 10.5.4 August Update -Random bugcheck/reboot

Re: ENS 10.5.4 August Update -Random bugcheck/reboot

Re: ENS 10.5.4 August Update -Random bugcheck/reboot

Re: ENS 10.5.4 August Update -Random bugcheck/reboot

Re: ENS 10.5.4 August Update -Random bugcheck/reboot

Community Help Hub

Join the Community