Advice Request Bluescreen by NVT Driver Radar Pro (drvradar.sys)

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.

NulFunction

Level 2
Thread author
Verified
Jun 2, 2018
96
Hi,

I just got a bluescreen because I tried running "unlocker 1.9.0 64bit". It loads a driver to be able to unlock used files and stuff.
I was trying to use this one because your NVT program couldn't find what is locking the folder, btw. (Yet unlocker couldn't too)

Now, for some reason the information in the dump is different to the information on the BS itself. The reason might just be "microsoft" or "bluescreenview", though.
Code:
060618-7109-01.dmp    06-Jun-18 20:33:41    ATTEMPTED_WRITE_TO_READONLY_MEMORY    0x000000be    fffff801`699c3000    09000002`05917021    ffffa80d`894a5610    00000000`0000000b    UnlockerDriver5.sys    UnlockerDriver5.sys+3000                    x64    ntoskrnl.exe+197680                    C:\WINDOWS\Minidump\060618-7109-01.dmp    4    15    17134    390,155    06-Jun-18 20:34:29

It says it is caused by "unlockdriver5.sys" which is false. Deactivation of Driver Radar Pro proved unlocker can run without problems.
Here is the BS:
IMAG0583.jpg

Clearly says drvradar.sys and it makes sense.
Code:
drvradar.sys        fffff801`69910000    fffff801`69917000    0x00007000    0x5afc98e7    16-May-18 22:47:35    NoVirusThanks Driver Radar Pro X64 Kernel-Mode Driver    NoVirusThanks Driver Radar Pro X64 Kernel-Mode Driver    1.3.0.0 built by: WinDDK    NoVirusThanks Company Srl    C:\WINDOWS\system32\drivers\drvradar.sys


A different question: Why is it in german? I changed to english.
 

yitworths

Level 10
Verified
Well-known
May 31, 2015
472
I'm gonna ask an off-topic question. Hope you ain't gonna mid mate.
So, how does it feel looking at the BS?
 
5

509322

Hi,

I just got a bluescreen because I tried running "unlocker 1.9.0 64bit". It loads a driver to be able to unlock used files and stuff.
I was trying to use this one because your NVT program couldn't find what is locking the folder, btw. (Yet unlocker couldn't too)

Now, for some reason the information in the dump is different to the information on the BS itself. The reason might just be "microsoft" or "bluescreenview", though.
Code:
060618-7109-01.dmp    06-Jun-18 20:33:41    ATTEMPTED_WRITE_TO_READONLY_MEMORY    0x000000be    fffff801`699c3000    09000002`05917021    ffffa80d`894a5610    00000000`0000000b    UnlockerDriver5.sys    UnlockerDriver5.sys+3000                    x64    ntoskrnl.exe+197680                    C:\WINDOWS\Minidump\060618-7109-01.dmp    4    15    17134    390,155    06-Jun-18 20:34:29

It says it is caused by "unlockdriver5.sys" which is false. Deactivation of Driver Radar Pro proved unlocker can run without problems.
Here is the BS:
View attachment 190068
Clearly says drvradar.sys and it makes sense.
Code:
drvradar.sys        fffff801`69910000    fffff801`69917000    0x00007000    0x5afc98e7    16-May-18 22:47:35    NoVirusThanks Driver Radar Pro X64 Kernel-Mode Driver    NoVirusThanks Driver Radar Pro X64 Kernel-Mode Driver    1.3.0.0 built by: WinDDK    NoVirusThanks Company Srl    C:\WINDOWS\system32\drivers\drvradar.sys


A different question: Why is it in german? I changed to english.

You have to forward the memory dump to Andreas (NVT owner\developer) so that he can check it using the symbol files. Only then will you get a definitive answer as to the cause.
 

NulFunction

Level 2
Thread author
Verified
Jun 2, 2018
96
Yea I was waiting for the dev actually. I wasn't doing this because I had any questions about this BS. This seems like the official forum for NVT, tbh.
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
292
NulFunction

That BS (should have) happened because Unlocker was unable to load its kernel-mode driver (blocked by Driver Radar Pro), infact when you disabled Driver Radar Pro and Unlocker was able to load its driver, no BS happened. It should not be a problem or bug of drvradar.sys. This scenario will be same for other programs that have to load a kernel-mode driver but it is blocked from being loaded in the system.

With Driver Radar Pro you need to run it in Learning Mode before you run trusted applications that will load a kernel-mode driver, or you need to add the Signer (company that digitally signed the driver) to the Whitelist of Driver Radar Pro so the to-be-loaded driver (in this case of Unlocker) can be loaded in the system without beign blocked.

Try to switch Driver Radar Pro in Learning Mode, then run Unlocker (so it will load the driver and it should be auto-whitelisted by Driver Radar Pro), then close Unlocker, switch Driver Radar Pro in Lockdown Mode, now run again Unlocker, there should be no BS.

Hope it helps.
 

NulFunction

Level 2
Thread author
Verified
Jun 2, 2018
96
I actually don't want a program that randomly creates bluescreens, intended or not.
It is a huge issue.
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
292
DRP is for specific uses (e.g. can be used to capture a rootkit driver during malware analysis) and recommended for advanced users, since if a driver is blocked it can cause a BS. I would recommend to first get an idea of what programs that need a kernel driver you will use, then add each Signer to the Whitelist and then use DRP in Lockdown Mode to block any unknown (not whitelisted) driver. Not all kernel drivers cause a BS if they are blocked, but many of them can cause that (we can't do much about this behavior).
 
D

Deleted member 178

I actually don't want a program that randomly creates bluescreens, intended or not.
It is a huge issue.
DRP worked as intended, you tried to load a driver while using a software which purposes is to block them :sneaky:....no wonder...
Most NVT apps are advanced tools, not "tools-for-noobs", they must be configured properly before ran.
 

NulFunction

Level 2
Thread author
Verified
Jun 2, 2018
96
I understand why wouldn't want to write that it intentionally causes BSODs on your webpage.
It is listed under "Malware Protection", thought. Maybe you should either change it's location or add some kind of documentation or a warning that it can cause BSODs.

DRP worked as intended, you tried to load a driver while using a software which purposes is to block them :sneaky:....no wonder...
smug
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top