Installing both Deep Security Agent (DSA) and OfficeScan (OSCE) agent on the same host triggers a Blue-Screen-of-Death (BSoD). This causes driver conflict and crash.
Below are the symptoms of the issue:
- It happens in any VSAPI version.
- System BSoD occurs and its bug check code is "7F".
- Call stack goes through tmevtmgr.sys and tmpreflt.sys recursively.
The problem happens because the tmevtmgr.sys of Deep Security and the tmpreflt.sys of OfficeScan have compatibility issue. If the two are installed together, they will cause kernel stack overflow and BSoD.
To resolve the issue, remove the Deep Security Anti-Malware function:
- Check the AMSP folder. When the DSA and AM/AMSP module are both installed, the AMSP folder is created.
- Find the Tmevtmgr.sys version. This file, which is installed under \SystemRoot\system32\DRIVERS\, exists in both DSA and OSCE but they have different drivers with different versions.
- Check the [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\tmevtmgr] registry key.
- Identify the version of Tmevtmgr.sys.
- If the version is greater than 5.5, it belongs to DSA AM/AMSP and it is called EYES.
- If the version is 2.x, it belongs to OSCE and it is called AEGIS.
- If the Tmevtmgr.sys version is 5.5 or above, re-install DSA with disabled AM function to avoid the Tmevtmgr.sys file from being replaced again.
- Re-install the OSCE client to rollback the Tmevtmgr.sys file to the version used by OSCE AM.