Archive

Archive for January 9, 2011

Random STOP (BSOD) crashes with Forefront Endpoint Protection and App-V 4.5

January 9, 2011 Leave a comment

You may receive random STOP (BSOD) crashes with Forefront Endpoint Protection and App-V 4.5 and later. The frequency increases with Virtualized Outlook 2007.

The problem was caused indirectly by Forefront but Forefront is not entirely at fault here. If you have Forefront Endpoint Protection installed but do not exclude PSTs nor PKG files from Forefront real-time scanning, then you might run into this issue.

This is difficult to nail down due to the STOP Error. The STOP 0xDF bugcheck is referenced here:

MSDN: http://msdn.microsoft.com/en-us/library/ms854947.aspx

Explanation:  This Stop message occurs when a user-mode subsystem, such as Winlogon or the Client Server Runtime Subsystem (CSRSS), is seriously compromised and security can no longer be guaranteed. The operating system switches into kernel-mode and generates this error. Because Windows 2000 cannot run without Winlogon or CSRSS, this is one of the few situations where the failure of a user-mode service can shut down the system. Running the kernel debugger is not useful in this situation because the actual error occurred in a user-mode process. Because this Stop message occurs in a user-mode process, the most common culprits are third-party applications. Other common causes of this message are the installation of a new or updated device driver, or system service. Mismatched system files can also cause this error. Running a full system restore from tape might generate this error, because( some restore programs might skip restoring system files they determine are in use).

With Windows XP, Forefront hooks in through GINA chaining and user mode hooking and so does App-V 4.5 and later. If PKG files are being scanned by Forefront and PSTs are going to them, this creates a nightmare scenario for functionality if PKGs and PSTs are not excluded from FCS.

PLEASE NOTE: This problem only occurs on Windows XP with FCS and App-V installed. It has only been reproduced with that configuration and the only application we could get to reproduce virtually was Outlook and that was with PSTs inside of PKG files (not recommended) or server-based PSTs (also not recommended.)

The only resolution for this is to ensure you create exclusions for PSTs and PKG files using Forefront. Please refer to this link for instructions on how to do this:

http://technet.microsoft.com/en-us/library/bb418942.aspx

Categories: App-V Tags: , , , , , , , , , ,