Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Blue-Screen-of-Death occurs when installing Deep Security Agent and OfficeScan Agent on the same host

    • Updated:
    • 17 Jul 2017
    • Product/Version:
    • Deep Security 9.0
    • Deep Security 9.5
    • Deep Security 9.6
    • OfficeScan 10.6
    • OfficeScan 11.0
    • OfficeScan XG.All
    • ServerProtect for Microsoft Windows/Novell Netware 5.7
    • ServerProtect for Microsoft Windows/Novell Netware 5.8
    • Platform:
    • Windows 10 32-bit
    • Windows 10 64-bit
    • Windows 2003 Enterprise
    • Windows 2008 Enterprise
    • Windows 2012 Enterprise
    • Windows 7 32-bit
    • Windows 7 64-bit
    • Windows 8 32-bit
    • Windows 8 64-bit
    • Windows 8.1 32-bit
    • Windows 8.1 64-bit
    • Windows Vista 32-bit
    • Windows Vista 64-bit
Summary

Installing both Deep Security Agent (DSA) and OfficeScan (OSCE) agent on the same host triggers a Blue-Screen-of-Death (BSoD). This causes driver conflict and crash.

Below are the symptoms of the issue:

  • It happens in any VSAPI version.
  • System BSoD occurs and its bug check code is "7F".
  • Call stack goes through tmevtmgr.sys and tmpreflt.sys recursively.
Details
Public

The problem happens because the tmevtmgr.sys of Deep Security and the tmpreflt.sys of OfficeScan have compatibility issue. If the two are installed together, they will cause kernel stack overflow and BSoD.

To resolve the issue, remove the Deep Security Anti-Malware function:

  1. Check the AMSP folder. When the DSA and AM/AMSP module are both installed, the AMSP folder is created.
  2. Find the Tmevtmgr.sys version. This file, which is installed under \SystemRoot\system32\DRIVERS\, exists in both DSA and OSCE but they have different drivers with different versions.
    1. Check the [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\tmevtmgr] registry key.
    2. Identify the version of Tmevtmgr.sys.

      tmevtmgr.sys

      • If the version is greater than 5.5, it belongs to DSA AM/AMSP and it is called EYES.
      • If the version is 2.x, it belongs to OSCE and it is called AEGIS.
  3. If the Tmevtmgr.sys version is 5.5 or above, re-install DSA with disabled AM function to avoid the Tmevtmgr.sys file from being replaced again.
  4. Re-install the OSCE client to rollback the Tmevtmgr.sys file to the version used by OSCE AM.

Other products with Anti-Malware (AM) drivers cannot co-exist as well. For example, if ServerProtect for Microsoft Windows/Novell Netware (SPNT) and DSA are installed on the same machine, DSA will report offline AM due to driver conflict.

Premium
Internal
Rating:
Category:
Troubleshoot
Solution Id:
1113038
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.