Windows Server encounters BSOD / crashes, and unable to boot because of smss.exe while hooked to DSA tmumh (TmUmEvt64.dll).
The issue originally occurs on Deep Security 126.96.36.1991.
- This crash happens when the Windows System process smss.exe tries to load trend module:
C:\Windows\system32\tmumh\20019\AddOn\188.8.131.523\TmUmEvt64.dllThe system complains that the TmUmEvt64.dll has an invalid image format and results to BSOD/crash.TmUmEvt64.dll is a binary file which belongs to AMSP UMH module. UMH will inject this DLL to user-mode processes when User mode hooking is enabled if the processes have not been excluded from UMH.
- The critical process smss.exe should be excluded from UMH but failed to do so, which resulted in BSOD/crash. As smss.exe is a critical system process, we bypass it using our pattern whiltelist settings, but in the BSOD dump, it can be found that the smss.exe’s whitelist tag is marked as deserted (It contains complex encoded data structure tree link that would cost a significant amount of time for decoding.)
To resolve this, upgrade from current DSA 11 and install DSA 11 U21 or above. Note that the fix is also applied on DS 12.0 U10 and current DS 20.0.