Skip to main content

Troubleshoot Blue Screen of Death (BSOD) caused by ThreatDown

Updated: 

Issue

A Blue Screen of Death (BSOD), also known as a Stop error, occurs when Windows encounters a critical system error it cannot recover from, leading to an immediate crash and restart. While BSODs can stem from hardware faults, driver conflicts, OS issues, or incompatible software, the ThreatDown Endpoint drivers or protection have occasionally been associated with crashes in certain configurations, updates, or older Windows versions.

Symptoms

  • Sudden blue screen with error codes (e.g., KMODE_EXCEPTION_NOT_HANDLED, IRQL_NOT_LESS_OR_EQUAL, SYSTEM_SERVICE_EXCEPTION, BAD_POOL_CALLER, KERNEL_AUTO_BOOST_LOCK_ACQUISITION_WITH_RAISED_IRQL).
  • Crash during boot, scans, reboot, OS update, or randomly.
  • Stop codes referencing ThreatDown-related drivers such as mwac.sys, farflt.sys, or flightrecorder.sys.

Resolution

Work through the following tasks in order until the issue is resolved.

Task 1: Ensure Memory Dump Generation for Analysis

Windows generates a memory dump file during BSOD for debugging. The default location is %SystemRoot%\MEMORY.DMP, usually C:\Windows\MEMORY.DMP.

If no dump file exists after a reproducible crash, configure automatic dump creation:

  1. On the Windows device, go to Control Panel > System and Security > System.
  2. Click Advanced system settings > Advanced tab.
  3. Under Startup and Recovery, click Settings.
  4. In System failure > Write debugging information, select one of the following:
    • Automatic memory dump: Recommended/default in modern Windows. Equivalent to kernel dump if page file allows.
    • Kernel memory dump: Partial kernel memory. Common for driver analysis.
    • Active memory dump or Complete memory dump: Full RAM; use cautiously as it requires large disk space and takes longer to write.
  5. Ensure the Dump file path has sufficient space. Change to another drive if needed: D:\MEMORY.DMP.
  6. Uncheck Automatically restart to view the BSOD message longer.
  7. Click OK > Apply > OK.
  8. Restart the computer for changes to take effect.

Notes:

  • Page file must be large enough - at least equal to RAM for complete dumps.
  • Complete dumps can take significant time on large RAM systems.

Task 2: Perform Layer Testing to Isolate ThreatDown Involvement

Follow the layer testing process from Troubleshooting endpoint performance issues to identify the problematic protection layer:

  1. Enable debug logging on the endpoint.
  2. In Nebula, disable layers systematically:
    1. Start with EDR if enabled.
    2. Then disable Real-Time Protection sub-layers individually in this order: 
      1. Malware Protection
      2. Ransomware Behavior Protection
      3. Web Protection
      4. Exploit Protection
    3. Wait 2-3 minutes after each layer is disabled to ensure the policy is applied to the endpoint.
    4. Attempt to reproduce the BSOD.
  3. If disabling a layer prevents crashes, re-enable other layers and confirm by reproducing the issue with only the problematic layer enabled.
  4. Collect Endpoint Agent logs.

Task 3: Contact Support

Provide the following when contacting support:

  • The debug Endpoint Agent logs collected in the previous step
  • Memory dump file (MEMORY.DMP or mini-dumps in C:\Windows\Minidump)
  • Environment details:
    • How many machines affected?
    • Reproducible? Steps to reproduce.
    • OS/platform: Windows 10/11 version, Windows Server 2019/2022, etc.
    • Agent version
    • Recent changes or updates

Temporary Workaround while awaiting support:

  • Disable suspect layers in policy for affected endpoints.
  • Boot in Safe Mode to test stability without ThreatDown.

Still have questions?

Support is available via chat, phone or by creating a ticket. You can also use our virtual assistant for guided assistance.

Learn more