BSOD PAGE_FAULT_IN_NONPAGED_AREA aswSnx.sys

[REDACTED]

Hello

Since mid may I'm plagued with BSOD caused by aswSnx.sys (I'm running Windows 7 64bits and Avast Pro AV 2014.9.0.2018).
The crashes happens times to times (happened 5 times so far) when I'm not using the computer (leaving switched on overnight).

I've reported that to the customer support but so far they have been completely useless only telling me to reinstall completely avast using clean install procedure (I've done this 3 times so far ...).

This is the last trace I have (but the others are similar):

Caused by Driver: aswSnx.sys
Caused by Address: aswSnx.sys+52684

061914-15054-01.dmp   19/06/2014 03:32:44   PAGE_FAULT_IN_NONPAGED_AREA   0x00000050   fffff8a0`15aa0000   00000000`00000000   fffff800`034d467a   00000000`00000000   aswSnx.sys   aswSnx.sys+52684   avast! Virtualization Driver   avast! Antivirus   AVAST Software   9.0.2018.394   x64   ntoskrnl.exe+75bc0               C:\Windows\Minidump\061914-15054-01.dmp   4   15   7601   297 904   19/06/2014 03:35:40   

What can I do to have support look at this seriously ?

Cheers

[REDACTED]

To add more details if I look more closely in windbg I can see that the windows kernel crash on a bad address however the from the call stack it seems that is it aswSnx.sys that gives that wrong pointer to the kernel.

[REDACTED]

Here the answer I've just received from CS:

There will be a new update of avast antivirus during the end of this month or a bit later so unfortunately we have no time to analyze your issue with greater accuracy. If you issue is related to avast there is a chance that new update somehow correct the issue. We are sorry for your inconvenience.

This can't be serious  !

[Asyn]

Try the new beta: https://forum.avast.com/index.php?topic=150784.0

[REDACTED]

It is supposed to be out in end of June so I rather wait ...

But anyway I still would like to have a proper answer from CS I mean this is why I've actually paid a license for ...

[REDACTED]

Another option is since aswsnx.sys is part of the virtualization used in the Sandbox feature you can uninstall Sandbox.
You can do a Forum search and people have had BSODs as well as PCs that did not boot because of this aswsnx.sys driver.
To me BSODs are not good and should not be ignored....even if intermitent....they are an indicator of something bad and the BSOD itself can cause other issues....IMHO a BSOD needs to be addressed.

So, to do this go to Control Panel > Programs and Features
Select Avast
In the menu on the left select CHANGE
Remove the tick from Sandbox and then press continue/next.
Then on the reboot enable Avast hardened mode > aggressive {read below why "aggressive"} to replace the Sandbox function.
When you upgrade to the latest Avast version you can always re-install the Sandbox feature and then disable hardened mode.
If you want to read example of this working for another poster try here: https://forum.avast.com/index.php?topic=108689.30

Here is thread that has some pics on Hardened Mode: https://forum.avast.com/index.php?topic=146069.0
Here is also a good summary listed by RejZor in another thread....
Hardened Mode is designed to make protection tougher without interfering with the computer usage much.
avast! by default checks suspicious files with DeepScreen within virtual environment to see how they behave. But if you use Hardened Mode, it starts to behave a bit differently.

Hardened Mode: Moderate
Under normal conditions, if avast! decides that some file is too suspicious by various characteristics, it then throws it into the DeepScren for further scanning. But if Moderate Hardened Mode is enabled, avast! automatically blocks files that are detected as suspicious by preliminary analysis.
In most cases DeepScreen checks the file and if it doesn't find obvious malicious problems with it, those files are started automatically after analysis. But Hardened Mode (Moderate) blocks it right there.

Hardened Mode: Aggressive
This mode behaves a bit differently. It actually relies on analysis on a very small scale and mostly relies on a huge whitelist database located in avast! Cloud. If file is located within the cloud and flagged as safe, it will allow to run it. If it's not found or marked as bad, it will block it. So, at least based on my experience, Aggressive Mode is actually much more secure and also a lot less intrusive. Only time that it will cause problems is with some very rare old software or very very new software that isn't used by thousands of users. Usually some very specialized programs used by only few users.
Moderate mode often feels a bit too paranoid (despite its name) because it often blocks safe programs just because they exhibit local suspicious file characteristics that are basically ignored by the Aggressive mode.

Only thing that confuses me is why Moderate mode doesn't rely on the same whitelist to avoid these suspicious blockings. In my case, i prefer to use Aggresssive mode and i have done so on many systems and it worked like charm. No problems, no excessive blocking but with superior protection.

[REDACTED]

Even after 2014.9.0.2021 update same crashes.

Here the output of windbg:

Code: [Select]

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {fffff8a024a58ffa, 0, fffff800034bc800, 0}

*** WARNING: Unable to verify timestamp for aswMonFlt.sys
*** ERROR: Module load completed but symbols could not be loaded for aswMonFlt.sys

Could not read faulting driver name
Probably caused by : aswMonFlt.sys ( aswMonFlt+2680 )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffff8a024a58ffa, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff800034bc800, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

READ_ADDRESS: GetPointerFromAddress: unable to read from fffff800036fd100
GetUlongFromAddress: unable to read from fffff800036fd1c0
 fffff8a024a58ffa Paged pool

FAULTING_IP:
nt!memcpy+250
fffff800`034bc800 488b440af8      mov     rax,qword ptr [rdx+rcx-8]

MM_INTERNAL_CODE:  0

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  svchost.exe

CURRENT_IRQL:  0

ANALYSIS_VERSION: 6.3.9600.17029 (debuggers(dbg).140219-1702) amd64fre

TRAP_FRAME:  fffff8800c270060 -- (.trap 0xfffff8800c270060)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=b0109f4efe6c22d1 rbx=0000000000000000 rcx=fffff8a024e07578
rdx=ffffffffffc51a8a rsi=0000000000000000 rdi=0000000000000000
rip=fffff800034bc800 rsp=fffff8800c2701f8 rbp=fffff8a024dfa004
 r8=000000000000ffd4  r9=00000000000006ab r10=90b7204e76410043
r11=fffff8a024dfa004 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
nt!memcpy+0x250:
fffff800`034bc800 488b440af8      mov     rax,qword ptr [rdx+rcx-8] ds:fffff8a0`24a58ffa=????????????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff80003543bf0 to fffff800034c5bc0

STACK_TEXT: 
fffff880`0c26fef8 fffff800`03543bf0 : 00000000`00000050 fffff8a0`24a58ffa 00000000`00000000 fffff880`0c270060 : nt!KeBugCheckEx
fffff880`0c26ff00 fffff800`034c3cee : 00000000`00000000 fffff8a0`24a58ffa fffffa80`1b917a00 00000000`0000ffd8 : nt! ?? ::FNODOBFM::`string'+0x4518f
fffff880`0c270060 fffff800`034bc800 : fffff800`03490458 00000000`00000000 00000000`0000ffe8 fffffa80`1c7916a0 : nt!KiPageFault+0x16e
fffff880`0c2701f8 fffff800`03490458 : 00000000`00000000 00000000`0000ffe8 fffffa80`1c7916a0 00000000`00000000 : nt!memcpy+0x250
fffff880`0c270200 fffff880`05202680 : 00000000`00000000 00000000`00000000 00000000`0000ffe8 00000000`00000000 : nt!RtlAppendUnicodeStringToString+0x58
fffff880`0c270230 00000000`00000000 : 00000000`00000000 00000000`0000ffe8 00000000`00000000 00000000`20ee8a01 : aswMonFlt+0x2680


STACK_COMMAND:  kb

FOLLOWUP_IP:
aswMonFlt+2680
fffff880`05202680 ??              ???

SYMBOL_STACK_INDEX:  5

SYMBOL_NAME:  aswMonFlt+2680

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: aswMonFlt

IMAGE_NAME:  aswMonFlt.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  53ac04e3

FAILURE_BUCKET_ID:  X64_0x50_aswMonFlt+2680

BUCKET_ID:  X64_0x50_aswMonFlt+2680

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:x64_0x50_aswmonflt+2680

FAILURE_ID_HASH:  {f74f6940-8456-b305-321d-c0a190f0c785}

Followup: MachineOwner
---------


[mchain]

No info about using custom install and de-selecting Sandbox option.  Was this done?

See thekochs's recommendations above.

[REDACTED]

Great so the only way to not have crashes is to remove the pro features basically ?

What the point of paying a license then ?

Moreover look at the debugger stack: the Avast driver crashes in some string manipulation routine, probably they didn't allocate properly the destination memory.
They have to fix they dodgy code

[mchain]

The point of a paid license is to get features and capabilities that the free version does not have.

http://www.avast.com/en-us/compare-antivirus

In Pro, you get SafeZone, but not in free version.

A bit or so ago, user CraigB recommended an upgrade to a beta version. 

Did you do a clean install of version 2014.9.0.2021 and select a custom install after removing the old version by using aswclear.exe? 

Or, did you do an upgrade within the avast user interface to get the latest version?

A clean install is recommended after removing the installation in place now.

First, be sure you have a copy of the license available before beginning a clean install.

Reason a clean custom install should be selected is so you can de-select the sandbox option when in custom install and avoid installing the problematic aswSnx.sys driver entirely.  Doing so should clear this issue. 

Then, you can configure your avast! hardened mode to Aggressive and that will take the place of the sandbox in protection. as user thekocks says.

****************************************************************************************************
****************************************************************************************************
Tools to aid in a clean install of avast!:

LInks to aid in a fresh, clean install of version 2014.9.0.2021 Pro:
http://www.avast.com/en-us/uninstall-utility  Follow instructions on this page to remove the old avast!
http://www.avast.com/download-thank-you.php?product=PAV-ONLINE&locale=en-ww  (See attachment below if you wish to download the entire installation package for avast! Pro so you can install it when offline)  Look for this link on this page and click that.

If you've ever had any other antivirus programs installed on your system, use this link to completely remove any left-over remnants to provide a clean environment for avast! to install cleanly:
http://www.avast.com/faq.php?article=AVKB11#artTitle  Run all tools that apply before you install avast! again.  Reboot after each run of a tool used.

If you need to, run the a/v tools first, then run aswclear.exe, reboot, and install avast! as a custom install.

A free alternative sandbox program:  http://www.sandboxie.com/

[REDACTED]

As mchain suggested.........please take the time and do a clean un-re-install.
Also, as he suggested (FAQ link) check your PC to remove any old remnants on other previously installed A/Vs....this is CRITICAL.
Follow this procedure.....maybe 15+ minutes total.....and YES it does make a big difference in stable code.

Avast Clean Un- & Re-Install
1. Download Avastclear, Rejzors uninstall tool and the appropriate Avast program edition.
Avastclear : http://files.avast.com/iavs9x/avastclear.exe
Rejzors Uninstall tool: http://rejzor.wordpress.com/avast-cleanup-tool/

Here are the Avast installer links. Note: You need to be ONLINE during this install.
http://files.avast.com/iavs9x/avast_free_antivirus_setup_online.exe
http://files.avast.com/iavs9x/avast_pro_antivirus_setup_online.exe
http://files.avast.com/iavs9x/avast_internet_security_setup_online.exe
http://files.avast.com/iavs9x/avast_premier_antivirus_setup_online.exe

......Now............
2. Uninstall Avast by Control Panel>Programs [If you don't have Avast in control Panel go to #4]
3. Run Avastclear in Normal Mode and allow it to Reboot PC into Safe Mode to complete the removal process.
4. Run Rejzors Uninstall Utility in Normal Mode (removes traces avastclear doesn't) - reboot.
5. Be Sure To Check PC's Device Manager....Control Panel>System Once Uninstall is Complete.
    Make sure to show any hidden devices by selecting pull-down menu Device Manager>View>Show Hidden Devices
    If there is anything related to Avast with a yellow triangle then uninstall it (highlight, right click) and reboot.
    If you get an error just right-click & delete.
6. Install the Avast version you downloaded.
7. Reboot.

Also, here is the download links to the offline installers but in some cases the offline installer doesn't work, whereas the online one does.
It has something to do with the wrong SFX in some installers......I've read several posts on issue with VISTA with the offline.

http://files.avast.com/iavs9x/avast_free_antivirus_setup.exe
http://files.avast.com/iavs9x/avast_pro_antivirus_setup.exe
http://files.avast.com/iavs9x/avast_internet_security_setup.exe
http://files.avast.com/iavs9x/avast_premier_antivirus_setup.exe

[REDACTED]

I've already done this full clean/reinstall dance that didn't changed anything.

If you look closely at my windbg analysis you'll see that it is a plain programming error, a badly initialized memory before attempting to concatenate a string.

I've this opened in the support since early may, they made me do the idiotic full clean reinstall dance at least 3 times and they seems to not have a clue!
This time I've took time to install windbg with the kernel symbol to give them a full stack I hope this is going to move the thing further.

@mchain
Do you think I don't know what are the functionality of the Pro version ? And paying a license entitle me to have proper customer support which actually fails greatly.

For now I've uninstalled the Sandbox, but I feel robbed as this is the distinctive feature of the pro version 

[mchain]

And you should.

I've taken the liberty of contacting an avast! team member.  I'm just an avast! user like you, who happens to like helping others with avast! issues.  I just volunteer my time here.

Want to thank you for sticking with us, but did you need to use any of the a/v final uninstallers? 

I'm sorry it has taken more than two months to get to this point.  This person will get and understand the winbg analysis.  Frankly, I don't know what to make of it other than to say, on a hunch, that that specific sector or block of your memory stick could be defective?  I say that because avast! keeps hitting that spot consistently given enough time, say 24 hours?, and then you get your BSOD.  That pattern seems consistent too.

So, working on two fronts here and there should move things along for you.