Q&A Bluescreen by NVT Driver Radar Pro (drvradar.sys)

Bundled with PUP
None
Joined
Jun 2, 2018
Messages
96
OS
Windows 10
Antivirus
Microsoft
#1
Hi,

I just got a bluescreen because I tried running "unlocker 1.9.0 64bit". It loads a driver to be able to unlock used files and stuff.
I was trying to use this one because your NVT program couldn't find what is locking the folder, btw. (Yet unlocker couldn't too)

Now, for some reason the information in the dump is different to the information on the BS itself. The reason might just be "microsoft" or "bluescreenview", though.
Code:
060618-7109-01.dmp    06-Jun-18 20:33:41    ATTEMPTED_WRITE_TO_READONLY_MEMORY    0x000000be    fffff801`699c3000    09000002`05917021    ffffa80d`894a5610    00000000`0000000b    UnlockerDriver5.sys    UnlockerDriver5.sys+3000                    x64    ntoskrnl.exe+197680                    C:\WINDOWS\Minidump\060618-7109-01.dmp    4    15    17134    390,155    06-Jun-18 20:34:29
It says it is caused by "unlockdriver5.sys" which is false. Deactivation of Driver Radar Pro proved unlocker can run without problems.
Here is the BS:
IMAG0583.jpg

Clearly says drvradar.sys and it makes sense.
Code:
drvradar.sys        fffff801`69910000    fffff801`69917000    0x00007000    0x5afc98e7    16-May-18 22:47:35    NoVirusThanks Driver Radar Pro X64 Kernel-Mode Driver    NoVirusThanks Driver Radar Pro X64 Kernel-Mode Driver    1.3.0.0 built by: WinDDK    NoVirusThanks Company Srl    C:\WINDOWS\system32\drivers\drvradar.sys

A different question: Why is it in german? I changed to english.
 
Joined
May 31, 2015
Messages
171
OS
Windows 8.1
Antivirus
Kaspersky
#2
I'm gonna ask an off-topic question. Hope you ain't gonna mid mate.
So, how does it feel looking at the BS?
 

Lockdown

From AppGuard
Developer
Joined
Oct 24, 2016
Messages
3,010
#4
Hi,

I just got a bluescreen because I tried running "unlocker 1.9.0 64bit". It loads a driver to be able to unlock used files and stuff.
I was trying to use this one because your NVT program couldn't find what is locking the folder, btw. (Yet unlocker couldn't too)

Now, for some reason the information in the dump is different to the information on the BS itself. The reason might just be "microsoft" or "bluescreenview", though.
Code:
060618-7109-01.dmp    06-Jun-18 20:33:41    ATTEMPTED_WRITE_TO_READONLY_MEMORY    0x000000be    fffff801`699c3000    09000002`05917021    ffffa80d`894a5610    00000000`0000000b    UnlockerDriver5.sys    UnlockerDriver5.sys+3000                    x64    ntoskrnl.exe+197680                    C:\WINDOWS\Minidump\060618-7109-01.dmp    4    15    17134    390,155    06-Jun-18 20:34:29
It says it is caused by "unlockdriver5.sys" which is false. Deactivation of Driver Radar Pro proved unlocker can run without problems.
Here is the BS:
View attachment 190068
Clearly says drvradar.sys and it makes sense.
Code:
drvradar.sys        fffff801`69910000    fffff801`69917000    0x00007000    0x5afc98e7    16-May-18 22:47:35    NoVirusThanks Driver Radar Pro X64 Kernel-Mode Driver    NoVirusThanks Driver Radar Pro X64 Kernel-Mode Driver    1.3.0.0 built by: WinDDK    NoVirusThanks Company Srl    C:\WINDOWS\system32\drivers\drvradar.sys

A different question: Why is it in german? I changed to english.
You have to forward the memory dump to Andreas (NVT owner\developer) so that he can check it using the symbol files. Only then will you get a definitive answer as to the cause.
 
Joined
Jun 2, 2018
Messages
96
OS
Windows 10
Antivirus
Microsoft
#5
Yea I was waiting for the dev actually. I wasn't doing this because I had any questions about this BS. This seems like the official forum for NVT, tbh.
 

NoVirusThanks

From NoVirusThanks
Developer
Joined
Aug 23, 2012
Messages
164
OS
Windows 10
#6
NulFunction

That BS (should have) happened because Unlocker was unable to load its kernel-mode driver (blocked by Driver Radar Pro), infact when you disabled Driver Radar Pro and Unlocker was able to load its driver, no BS happened. It should not be a problem or bug of drvradar.sys. This scenario will be same for other programs that have to load a kernel-mode driver but it is blocked from being loaded in the system.

With Driver Radar Pro you need to run it in Learning Mode before you run trusted applications that will load a kernel-mode driver, or you need to add the Signer (company that digitally signed the driver) to the Whitelist of Driver Radar Pro so the to-be-loaded driver (in this case of Unlocker) can be loaded in the system without beign blocked.

Try to switch Driver Radar Pro in Learning Mode, then run Unlocker (so it will load the driver and it should be auto-whitelisted by Driver Radar Pro), then close Unlocker, switch Driver Radar Pro in Lockdown Mode, now run again Unlocker, there should be no BS.

Hope it helps.
 
Joined
Jun 2, 2018
Messages
96
OS
Windows 10
Antivirus
Microsoft
#7
I actually don't want a program that randomly creates bluescreens, intended or not.
It is a huge issue.
 

NoVirusThanks

From NoVirusThanks
Developer
Joined
Aug 23, 2012
Messages
164
OS
Windows 10
#8
DRP is for specific uses (e.g. can be used to capture a rootkit driver during malware analysis) and recommended for advanced users, since if a driver is blocked it can cause a BS. I would recommend to first get an idea of what programs that need a kernel driver you will use, then add each Signer to the Whitelist and then use DRP in Lockdown Mode to block any unknown (not whitelisted) driver. Not all kernel drivers cause a BS if they are blocked, but many of them can cause that (we can't do much about this behavior).
 

Umbra

Level 61
Content Creator
Trusted
Joined
May 16, 2011
Messages
17,767
OS
Windows 10
Antivirus
Default-Deny
#9
I actually don't want a program that randomly creates bluescreens, intended or not.
It is a huge issue.
DRP worked as intended, you tried to load a driver while using a software which purposes is to block them :sneaky:....no wonder...
Most NVT apps are advanced tools, not "tools-for-noobs", they must be configured properly before ran.
 
Joined
Jun 2, 2018
Messages
96
OS
Windows 10
Antivirus
Microsoft
#10
I understand why wouldn't want to write that it intentionally causes BSODs on your webpage.
It is listed under "Malware Protection", thought. Maybe you should either change it's location or add some kind of documentation or a warning that it can cause BSODs.

DRP worked as intended, you tried to load a driver while using a software which purposes is to block them :sneaky:....no wonder...
smug
 

Latest Posts

Latest Threads