Summary
Windows Server encounters BSOD / crashes, and unable to boot because of smss.exe while hooked to DSA tmumh (TmUmEvt64.dll).
The issue originally occurs on Deep Security 11.0.0.871.
- This crash happens when the Windows System process smss.exe tries to load trend module:
C:\Windows\system32\tmumh\20019\AddOn\7.30.0.1113\TmUmEvt64.dll
The system complains that the TmUmEvt64.dll has an invalid image format and results to BSOD/crash.TmUmEvt64.dll is a binary file which belongs to AMSP UMH module. UMH will inject this DLL to user-mode processes when User mode hooking is enabled if the processes have not been excluded from UMH. - The critical process smss.exe should be excluded from UMH but failed to do so, which resulted in BSOD/crash. As smss.exe is a critical system process, we bypass it using our pattern whiltelist settings, but in the BSOD dump, it can be found that the smss.exe’s whitelist tag is marked as deserted (It contains complex encoded data structure tree link that would cost a significant amount of time for decoding.)
Details
To resolve this, upgrade from current DSA 11 and install DSA 11 U21 or above. Note that the fix is also applied on DS 12.0 U10 and current DS 20.0.
To upgrade the DSA, please refer to this Help Center article.
