Blue Screen: Stop 0x0000005a after installing Symantec AntiVirus

Posted by Justin A. Parr on January 4, 2008
Posted in: Tech Support. Leave a Comment

Scenario:

After installing Symantec Anti-Virus 10, a Windows XP system may experience numerous “Stop 5A” blue screens.

 

Windows Version: XP Service Pack 2 (XPSP2)

Symantec AntiVirus Version: 10.0.2.2002

 

Cause:

Symantec installs two device drivers as Kernel-mode devices:

SAVRT

SAVRTPEL

These device drivers are part of “File System Auto-Protect”, which scans files as they are read from or written to the hard drive (interactive scan).

If either of these fails (crashes, becomes unresponsive), Windows thinks a device has failed and blue screens with a Stop 0x5a (Critical device failed).

One or both of these services can become unstable and crash when scanning large files, such as large zip files and other archives, mail files such as OST (Outlook Offline Store) and PST (Personal Folder) files, and the like.

 

Resolution:

Option 1:

Disable the file extensions causing the blue screen. In the “Symantec AntiVirus” console, “Configure…File System Auto-Protect”, and change “File Types” to “Selected”. Then, click the “Extensions” button, and remove extensions of large files that may be triggering the crash (e.g., zip, pst, ost).

This method works, but leaves some exposure for excluded file types. Most large files are archive files, meaning that they contain embedded files or file systems that really should be being scanned in order to properly address the risk of becoming infected with a virus or malware. As an example, if zip files are excluded, then a zip file containing a virus could be downloaded without being detected.

 

Option 2:

Change the driver type from “kernel” to “file system”.

Use the “sc” command at the command prompt:

————————–

C:\>sc config savrt type= filesys

[SC] ChangeServiceConfig SUCCESS

 

C:\>sc config savrtpel type= filesys

[SC] ChangeServiceConfig SUCCESS

 

C:\>

————————–

Issuing these two commands will reconfigure the Symantec devices as file system (rather than kernel) drivers. If the Symantec processes crash while scanning a large file, the kernel will issue a warning or error in the System Event Log, but the machine will not blue screen.

Reboot to make the change effective.

 

 

Leave a Reply