Windows Server encounters BSOD / crashes, and unable to boot because of smss.exe while hooked to DSA tmumh (TmUmEvt64.dll).

The issue originally occurs on Deep Security 11.0.0.871.

• This crash happens when the Windows System process smss.exe tries to load trend module:

  C:\Windows\system32\tmumh\20019\AddOn\7.30.0.1113\TmUmEvt64.dll

  The system complains that the TmUmEvt64.dll has an invalid image format and results to BSOD/crash.
   

  TmUmEvt64.dll is a binary file which belongs to AMSP UMH module. UMH will inject this DLL to user-mode processes when User mode hooking is enabled if the processes have not been excluded from UMH.

   
• The critical process smss.exe should be excluded from UMH but failed to do so, which resulted in BSOD/crash. As smss.exe is a critical system process, we bypass it using our pattern whiltelist settings, but in the BSOD dump, it can be found that the smss.exe’s whitelist tag is marked as deserted (It contains complex encoded data structure tree link that would cost a significant amount of time for decoding.)