Kernel Panic, but not sure ?

[Aniej]

Antivirus all of the sudden started crashing on me. I got this message in the apple report log when I send the report

Exception: EXC_BAD_ACCESS (0x0001)
Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x0000000c

Is that a kernal panic or something different?

What is a kernal panic and why does it happen?

Also, is it indicative of something else about to happen such as a HDD failure?

can anyone help with this?

 

[plinden]

No, that's just a program crash log.

Apple Docs: What is a kernel panic?

Try the following steps until it no longer crashes:
1. Create a new user and log into it. Does it still crash?
2. Remove the application preferences and relaunch it. Does it still crash?
3. Remove the application, and if you really must have a virus checker, reinstall it. Does it still crash?
4. Remove the application totally. You won't get a virus, currently.

What application is it anyway?

 

[Aniej]

oh sorry, I thought I said that. It is Norton Antivirus.

 

[zephead]

oh sorry, I thought I said that. It is Norton Antivirus.

That may be your problem. Norton has been known to cause more harm than good on Macs, just by the way the program is constructed.

 

[Aniej]

Interesting. A few people said that on here, but I was skeptical, but I am hearing it more and more. Are Macs in anyway susceptible to spyware and junk like that so as to warrant spybot search and destroy? I am actually writing a paper for law school on cyberwarfare, which I know a lot more about than basic spyware stuff, but am increasingly becoming interested in different security precautions for Apple. Maybe I will post a separate thread addressing that issue, but I just wanted to respond to your point.

 

[MarkMS]

Interesting. A few people said that on here, but I was skeptical, but I am hearing it more and more. Are Macs in anyway susceptible to spyware and junk like that so as to warrant spybot search and destroy? I am actually writing a paper for law school on cyberwarfare, which I know a lot more about than basic spyware stuff, but am increasingly becoming interested in different security precautions for Apple. Maybe I will post a separate thread addressing that issue, but I just wanted to respond to your point.

Short version of what I want to say:

No need to have applications like Ad-Aware and Search&Destroy for spyware on OS X yet. Nothing big has hit OS X. As the Mac user base increases, so do the risks of crackers/"hacker" finding exploits for personal gain.

---

Long Version:

If you must have some Antvirus (AV) scanner, rather than running Norton, try other alternatives like ClamXav. Apple uses the ClamAV engine in the server edition of OS X. ClamXav is just the GUI on the Clam engine, so it is easier for average consumer to run a quick test to make sure Windows partitions are not infected with viruses whether it is in Bootcamp or Parallels. OS X AV scanners shouldn't be used as if you are going to get in OS X virus tomorrow and that it would protect you, but it should be used as a means protect others who do run Windows or another OS on a network. I don't use Norton, ClamXav or the others like Virex from McAfee. My emails/files already go through servers with anti-virus checking in place to protect those who use Windows. I do, however, use Grisoft's AVG for Windows XP in Parallels.

I personally love Apple and OS X. I may be a "fanboy", but I do keep in mind that there is no such as a 100% secure OS. OS X and *Unix come close, but still have problems. No problems with spyware/viruses in OS X yet, but we need to stay aware that it could be a possibility.

How to stay aware (few quick steps I use when I get a new Mac) ...

1. Do not run the default Administrator account for everyday use. Make another account that does not administer the computer. When you need to install an app, install it normally ... but it will ask you to authenticate. You enter the admin account name and its associated password. It takes a few seconds, but it will give you some good protection in the long run. Just make sure to remember that it will only ask you for admin username/pass when installing apps, not for things like viewing pictures from a folder in Preview, listening to .mp3s, or when unzipping a file.

2. Enable the firewall. Go to System Preferences and enable it.

3. If you use Safari, untick the checkbox about opening "safe" files automatically. In theory, people can use it against you for gain access to the computer. I don't know if anyone ever attempted it.

4. Optional: I use an app called "Little Snitch". It lets you know about all incoming/outgoing connections your computer is making to the internet. Very useful. I'm sort of paranoid when it comes to security, so this is a must for all my Macs at home.

There are more tips, but I can't find the site I saw a while ago with a PDF on everything about securing OS X from using FileVault in SysPrefs and so on. Maybe someone here knows what I'm talking about and remembers the site.

 

[Aniej]

There are more tips, but I can't find the site I saw a while ago with a PDF on everything about securing OS X from using FileVault in SysPrefs and so on. Maybe someone here knows what I'm talking about and remembers the site.

I really appreciate the time you spent on putting that list together, it is really great. Thank you! Do you have any hints as to the PDF you were referring to? as in some distinguishing word in the title, date, website it was on? I would really like to take a look at it or any other sites that similarly address security.

 

[MarkMS]

Yeah, actually took some time to find the PDF file.

It's from Corsaire. It's called Securing Mac OS X 10.4 Tiger By Stephen de Vries.

Here is an easier one to read from Princeton.

 

[Al Storck]

Norton AntiVirus 11 and Safari 3.1.1 Kernel panics

Hello,

2.4 GHz iMac, Intel Core 2 Duo, running Leopard (Mac OS 10.5.2). All the latest updates have been installed (Time Capsule being used with Time Machine). But several of the kernel panics did occur prior to the Time Capsule being installed.

All the kernel panics occurred when running Safari 3.1.1. The following is from the last panic log.

Fri May 16 12:51:37 2008
panic(cpu 1 caller 0x001A8C8A): Kernel trap at 0x006bb367, type 14=page fault, registers:
CR0: 0x8001003b, CR2: 0x0000003c, CR3: 0x01131000, CR4: 0x00000660
EAX: 0x00000000, EBX: 0x00000000, ECX: 0x00000000, EDX: 0x00000000
CR2: 0x0000003c, EBP: 0x5ad7b708, ESI: 0x00000061, EDI: 0x56d54928
EFL: 0x00010202, EIP: 0x006bb367, CS: 0x00000008, DS: 0x06c00010
Error code: 0x00000000

Backtrace, Format - Frame : Return Address (4 potential args on stack)
0x5ad7b4f8 : 0x12b0f7 (0x4581f4 0x5ad7b52c 0x133230 0x0)
0x5ad7b548 : 0x1a8c8a (0x461720 0x6bb367 0xe 0x460ed0)
0x5ad7b628 : 0x19ece5 (0x5ad7b640 0x5ad7b68c 0x5ad7b708 0x6bb367)
0x5ad7b638 : 0x6bb367 (0xe 0x640048 0x6c00010 0x190010)
0x5ad7b708 : 0x6b5a4c (0x0 0x5ad7b98c 0x0 0x0)
0x5ad7b9b8 : 0x6b617f (0x5ad7baa4 0x3e9 0x1 0x3a362f)
0x5ad7b9f8 : 0x3b98d2 (0x6ab8600 0x8c057f8 0x0 0x5ad7baa4)
0x5ad7ba48 : 0x3a93a4 (0x8c057f8 0x0 0x5ad7baa4 0x0)
0x5ad7ba98 : 0x245f4f (0x8c0583c 0x56db0d00 0x1 0x301000a)
0x5ad7bc78 : 0x23baa0 (0x56db0d00 0x14 0x14 0x6)
0x5ad7bcb8 : 0x23d822 (0x56db0d00 0x14 0x6 0x0)
0x5ad7bdd8 : 0x23d85e (0x56db0d00 0x0 0x5ad7be48 0x13679a)
0x5ad7bdf8 : 0x2297b6 (0x2 0x56db0d00 0x7027d14 0x0)
0x5ad7be38 : 0x2187c5 (0x2 0x56db0d00 0x5ad7be88 0x1369ad)
0x5ad7bec8 : 0x214f04 (0x7169004 0x2 0x56db0d00 0x3e859c)
0x5ad7bef8 : 0x21565d (0x5258e4 0x6f2cb48 0x2 0x5ad7bf74)
Backtrace continues...
Kernel loadable modules in backtrace (with dependencies):
com.symantec.kext.ips(1.2f28)@0x6b2000->0x6d0fff
dependency: com.symantec.kext.internetSecurity(1.1f10)@0x6a9000

BSD process name corresponding to current thread: kernel_task

Mac OS version:
9C7010

Kernel version:
Darwin Kernel Version 9.2.2: Tue Mar 4 21:17:34 PST 2008; root:xnu-1228.4.31~1/RELEASE_I386
System model name: iMac7,1 (Mac-F42386C8)


Note the reference to com.symantec.kext.ips and com.symantec.kext.internetSecurity near the end of the log. Would this be an indication that these files are causing the kernel panics?

The Norton AntiVirus 11 uninstall application would not work so I rooted through my startup drive to eliminate all files (and there were quite a few) associated with this installation. I then reinstalled the application and updated with Live Update. I am watching to see if the problem presists after this fresh install. Certainly, if it does and can be directly attributable to an installed file by Norton AntiVirus 11, I will once again uninstall the application. This time for good.

Thank you for any assistance / clarification you could provide.

Al

 

[ElectricSheep]

Note the reference to com.symantec.kext.ips and com.symantec.kext.internetSecurity near the end of the log. Would this be an indication that these files are causing the kernel panics?

It can be an indicator. I depends on where kernel loadable modules appear in the backtrace. This line helps determine this:

com.symantec.kext.ips(1.2f28)@0x6b2000->0x6d0fff

So, any instructions in the kernel between the addresses of 0x6b2000 and 0x6d0fff belong to "com.symantec.kext.ips". If one steps through each frame in the backtrace, we see the following.

0x5ad7b4f8 : 0x12b0f7 (0x4581f4 0x5ad7b52c 0x133230 0x0)
0x5ad7b548 : 0x1a8c8a (0x461720 0x6bb367 0xe 0x460ed0)
0x5ad7b628 : 0x19ece5 (0x5ad7b640 0x5ad7b68c 0x5ad7b708 0x6bb367)

These three frames are the kernel dealing with the page fault exception. The first frame listed is the most recent as we are progressing backwards in time. This frame is the actual panic() function which generated this log and halted your machine.

0x5ad7b638 : 0x6bb367 (0xe 0x640048 0x6c00010 0x190010)
0x5ad7b708 : 0x6b5a4c (0x0 0x5ad7b98c 0x0 0x0)
0x5ad7b9b8 : 0x6b617f (0x5ad7baa4 0x3e9 0x1 0x3a362f)

The next three frames are responsible for tripping the page fault, which panicked the kernel. These frames belong to "com.symantec.kext.ips". I know this because the addresses above that are highlighted in blue fall within the address range we picked out above.

0x5ad7b9f8 : 0x3b98d2 (0x6ab8600 0x8c057f8 0x0 0x5ad7baa4)
0x5ad7ba48 : 0x3a93a4 (0x8c057f8 0x0 0x5ad7baa4 0x0)
0x5ad7ba98 : 0x245f4f (0x8c0583c 0x56db0d00 0x1 0x301000a)
0x5ad7bc78 : 0x23baa0 (0x56db0d00 0x14 0x14 0x6)
0x5ad7bcb8 : 0x23d822 (0x56db0d00 0x14 0x6 0x0)
0x5ad7bdd8 : 0x23d85e (0x56db0d00 0x0 0x5ad7be48 0x13679a)
0x5ad7bdf8 : 0x2297b6 (0x2 0x56db0d00 0x7027d14 0x0)
0x5ad7be38 : 0x2187c5 (0x2 0x56db0d00 0x5ad7be88 0x1369ad)
0x5ad7bec8 : 0x214f04 (0x7169004 0x2 0x56db0d00 0x3e859c)
0x5ad7bef8 : 0x21565d (0x5258e4 0x6f2cb48 0x2 0x5ad7bf74)

These remaining frames are the kernel processing a single inbound TCP/IP packet.

In short, the kernel received a single incoming TCP/IP packet, handed off to the symantec module which then caused a page fault. A page fault inside of the kernel is almost certainly fatal, so a panic() was done.

It looks like that the symantec kernel extension is indeed responsible for causing these kernel panics. Remove the extension, and the panics should no longer occur.