Raynor

EAM incompatible with Win 10 1803/1809 Memory Integrity Feature (BSOD)

Recommended Posts

There is a new security feature in Win 10 v1803 / v1089. It is called "Core Isolation". It can be found
in the Windows Security Center under "Device Security". The core isolation feature includes a
sub-feature called "Memory Integrity" (clicking on "core isolation details" reveals a switch that can be used
to turn this feature on). It is enabled on fresh Windows installs, but not for existing installations that have been
upgraded to v1803 or v1809. According to MS, these users can opt-in using the switch.

For me, the switch turns on fine (no driver  incompatibility warning given), but the required reboot ends with a
blue screen
KERNEL_SECURITY_CHECK_FAILURE. The welcome screen is shown for  few seconds, then
the BSOD is shown. I had to go into the BIOS, turn off virtualization, reboot and then disable the memory integrity
setting in the registry.

This happens on BOTH my PCs (main work PC - recent hardware, Z270 chipset - and my small Intel NUC7i5
media PC with no special stuff installed). Tried it under Win 10 v1803 a couple of months ago
and now again yesterday with v1809 (x64). Same results always.

After pulling out some hair, I decided to uninstall EAM. And behold, the feature turns on successfully on BOTH PCs.

Trying to re-install EAM with Memory Integrity turned on immediately causes the above mentioned BSOD
during the installation
(i.e. not on reboot, but immediately while the EAM installer is running).

Here is another user reporting exactly the same  issue:

https://www.wilderssecurity.com/threads/win-10-1803-core-isolation-and-memory-integrity.407342/#post-2776118

"With Core Isolation and memory integrity turned on I got a green screen of death trying to install Emsisoft
and could only recover using Macrium Reflect backup. Turned off memory integrity and EAM installed fine."

 

The information given in the German section of the Emsisoft forum that it "should" be compatible
is obviously FALSE. While EAM is certailny compatible with the basic "Core Isolation" feature,
it does NOT work when the memory isolation sub-feature is switched on.

https://support.emsisoft.com/topic/29479-windows-10-1803-kernisolierungspeicherintegrität/

Botom line: please make it compatible 😁

Thanks and best regards
Ranyor

Share this post


Link to post
Share on other sites

This has been a known issue for quite some time. EAM has never been compatible with the "Memory Integrity" feature, and we recommend leaving it turned off.

If necessary, you can start your computer in Safe Mode to turn it off.

Share this post


Link to post
Share on other sites

Thanks for the confirmation and the quick reply.

This should be documented somewhere to save others the hassle.
E.g. in the release notes, as a sticky in the forum, or as a message
in the installer.  I was unable to find this info, which led to me being puzzled
and wasting quite some time.

Not a biggie at the moment, but compatibility with this feature  would certainly
be welcomed for the future. Other AV vendors (Kaspersky comes to mind)
are also struggling with this feature, but they have been communicating
it more openly.

Thanks again
Raynor

Share this post


Link to post
Share on other sites

I'm fairly certain it's been discussed publicly before, however I haven't been able to find the discussion. It's possible that the user who asked the question later asked us to delete their account, along with their posts. All that's left is a post in a malware removal topic where someone asked if it was recommended to turn it on.

 

3 hours ago, Raynor said:

Other AV vendors (Kaspersky comes to mind) are also struggling with this feature, but they have been communicating it more openly.

That's more than likely due to the fact that users are actively asking them about it. Most of our users are just average people or businesses, neither of which are likely to use optional advanced security features in Windows, so we don't get asked about it very often.

Share this post


Link to post
Share on other sites

Fair enough, but what's with fresh installations of v1803/v1809 ?

According to MS, the memory integrity feature is always switched on
on qualifying modern PCs (with virtualization support, UEFI and stuff)
when Windows is installed from scratch.

Wouldn't then "average" users be greeted by a big fat blue screen when they try to install EAM ?
Or am I missing something here / am I getting something wrong ?

Share this post


Link to post
Share on other sites
22 hours ago, Raynor said:

Fair enough, but what's with fresh installations of v1803/v1809 ?

According to MS, the memory integrity feature is always switched on
on qualifying modern PCs (with virtualization support, UEFI and stuff)
when Windows is installed from scratch.

Wouldn't then "average" users be greeted by a big fat blue screen when they try to install EAM ?
Or am I missing something here / am I getting something wrong ?

https://www.auslogics.com/en/articles/core-isolation-and-memory-integrity/

Quote

Why is Memory Integrity Disabled by Default?

You shouldn’t encounter with the main Core Isolation feature. As long as the Windows 10 PC has the features needed to support it, it will be automatically enabled. Moreover, there is no interface for disabling it.

On the other hand, Memory Integrity protection can cause problems with other low-level Windows applications and some device drivers. This is also the reason why the feature is disabled by default on upgrades. Microsoft has been pushing device manufacturers and developers to make their software and drivers compatible. By default, the feature is enabled on new installations of Windows 10 and new PCs.

If one of the drivers essential in booting your computer is incompatible with Memory Protection, your system will disable the feature. This is why even after enabling it, you find it disabled when you reboot your PC.

Sometimes, when you enable Memory Protection, you might encounter malfunctioning software or problems with other devices. It is recommended that you check for updates with the specific driver or application. You should turn off Memory Protection if you discover that there are no updates available.

As previously mentioned, Memory Integrity might also be incompatible with certain applications that need exclusive access to the virtualization hardware of the system. It is also worth mentioning that tools like debuggers may need exclusive access to this hardware. Moreover, they won’t work when Memory Integrity is enabled.

 

Share this post


Link to post
Share on other sites
30 minutes ago, Jerky McDilerino said:

By default, the feature is enabled on new installations of Windows 10 and new PCs. 

And THAT is exactly what I'm talking about 🙄

Share this post


Link to post
Share on other sites
On 10/6/2018 at 10:05 AM, Raynor said:

According to MS, the memory integrity feature is always switched on
on qualifying modern PCs (with virtualization support, UEFI and stuff)
when Windows is installed from scratch.

I just installed Windows 10 1803 (64-bit) on August 1st, and that option was not turned on by default. The motherboard (ASUS Maximus VI Formula) has a UEFI BIOS.

Share this post


Link to post
Share on other sites

Good. Thanks for the clarification. Then the info given by MS is false 😁...
and this will not be as big an issue as I thought it might be. 👍

Share this post


Link to post
Share on other sites
10 hours ago, Raynor said:

Then the info given by MS is false 😁...

It's possible that Secure Boot needs to be on. Many computers don't have it on by default.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.