Wednesday, December 24, 2008

Cyberarmor viexpf2k.sys conflicts with MS's Driver Verifier

I had a BSOD (Blue Screen of Death) on my Windows XP laptop today. It freaked me out as I don't remember changing any system configurations previously, so I thought that it might be a virus. I've extracted the juicy part from the BSOD messages below:

--------------------------------------------------------------------
Technical information:

*** STOP: 0x000000c9 (0x00000007, 0xA8655492, 0x8ADACF68, 0x00000000)

*** viexpf2k.sys - Address A8655492 base at A8655000, DateStamp 4372d07b

Beginning dump of physical memory
--------------------------------------------------------------------

A little googling shows that "viexpf2k.sys" is either a malware, or a driver from CyberArmor. I have the Cyberarmor firewall (Corporate version) installed, so I investigated from this angle. But just in case, I also ran CureIt AntiVirus from DrWeb.

At first, I couldn't get into Safe Mode as it gets stuck during the driver loading phase. But CHKDSK pops up after a few hard reboots, and Safe Mode boots fine after the disk check.

For some reason, my laptop didn't generate any dump file (company policy, no direct control), so I could not confirm my suspicion with WinDbg. I had to do it the "hacker" way: I renamed "viexpf2k.sys" to "~viexpf2k.sys" in both the "C:\Program Files\CyberArmor" and "C:\WINDOWS\system32\drivers", and then my XP managed to boot normally, but without CyberArmor.

So it's confirmed that CyberArmor is the problem, but why? More googling shows stop code C9 to be DRIVER_VERIFIER_IOMANAGER_VIOLATION, and it hit me! I must have turned on Microsoft's Driver Verifier by mistake yesterday when I was researching on kernel dump debugging.

So I restored "viexpf2k.sys" and ran:

C:> verifier /reset

Voila! Every thing's back to normal after a reboot.

No comments: