Customers who have servers with the agent installed may experience a BSOD caused by the TmUmSnsr64.dll file. This file is part of the Behavior Monitoring module in Apex One.
If you encounter this issue, please refer to the created by TrendMicro. Our initial log analysis indicates that adding the C:\Windows\System32\Netsh.exe file to Behavior Monitoring may resolve the issue.
Based on the case description that due to TmUmSnsr64.dll, the servers that have Apex One agent installed was having a BSOD/ Below is the result of our initial log analysis from the provided logs and dump file.
=============Application.evt=============
Faulting application name: netsh.exe, version: 10.0.22621.1, time stamp: 0x13af0815 Faulting module name: TmUmSnsr64.dll, version: 1.0.0.1125, time stamp: 0x65499262 Exception code: 0xc0000005 Fault offset: 0x00000000000563b3 Faulting process id: 0x0x263c Faulting application start time: 0x0x1da42d2e4cf2496 Faulting application path: C:\Windows\System32\netsh.exe Faulting module path: C:\WINDOWS\System32\TmLWE\TmUmSnsr64\1.0.0.1125\TmUmSnsr64.dll Report Id: 5c40802a-d4b6-4a83-9ddd-1f9d622fbcf3
==========================================================================
==========netsh.exe.9984.dmp===========
EXCEPTION_RECORD: (.exr -1)ExceptionAddress: 00007ffd5b9463b3 (TmUmSnsr64+0x00000000000563b3) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000001 Parameter[1]: 0000000071bd12cc Attempt to write to address 0000000071bd12cc PROCESS_NAME: netsh.exe WRITE_ADDRESS: 0000000071bd12cc ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_CODE_STR: c0000005 EXCEPTION_PARAMETER1: 0000000000000001 EXCEPTION_PARAMETER2: 0000000071bd12cc STACK_TEXT: 000000f1`a6efeeb0 00000000`71bd12d1 : 00000000`000312b1 00000000`000312b1 00000000`00000000 00000000`71ba0040 : TmUmSnsr64+0x563b3 000000f1`a6efeeb8 00000000`000312b1 : 00000000`000312b1 00000000`00000000 00000000`71ba0040 00007ffd`5b945bbc : tmmon64+0x212d1 000000f1`a6efeec0 00000000`000312b1 : 00000000`00000000 00000000`71ba0040 00007ffd`5b945bbc 00000000`71bd12cc : 0x312b1 000000f1`a6efeec8 00000000`00000000 : 00000000`71ba0040 00007ffd`5b945bbc 00000000`71bd12cc 00000000`71ba0020 : 0x312b1 SYMBOL_NAME: TmUmSnsr64+563b3 MODULE_NAME: TmUmSnsr64 IMAGE_NAME: TmUmSnsr64.dll STACK_COMMAND: dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; ~4s; .ecxr ; kb FAILURE_BUCKET_ID: NULL_POINTER_WRITE_c0000005_TmUmSnsr64.dll!Unknown BUCKET_ID_MODPRIVATE: 1 OS_VERSION: 10.0.22621.1 BUILDLAB_STR: ni_release OSPLATFORM_TYPE: x64 OSNAME: Windows 10 IMAGE_VERSION: 1.0.0.1125 FAILURE_ID_HASH: {7f8b11bc-2a3e-df0f-8d4e-afd3ccea688d} ====================================================
Analysis: It seems that the netsh.exe was crashing due to TmUmSnsr64.dll, which is part of Behavior Monitoring module. [Next Action Plan]
1. Add the C:\Windows\System32\Netsh.exe on Behavior Monitoring.
2. Deploy the changes to the affected server and monitor if the issue will be resolved.
3. If the issue still persist after adding the affected file on the exclusion list, kindly collect another CDT logs and dump file then provide to Trend Micro Support.