BSOD APC_INDEX_MISMATCH when starting sandboxed programs in Dev Drive

Whenever starting a program stored in a Dev Drive in Avast, if the program triggers CyberCapture automatic sandboxing then the computer will crash with code APC_INDEX_MISMATCH.
Strangely right-clicking the program - Run in sandbox does nothing.
Disabling hardware-assisted virtualization in troubleshooting settings had no effect.
Disabling Dev Drive completely fixes the issue.

Crash stack trace:


Arguments:
Arg1: 00007ffe109f0374, Address of system call function or worker routine
Arg2: 0000000000000000, Thread->ApcStateIndex
Arg3: 000000000000fffe, (Thread->SpecialApcDisable << 16) | Thread->KernelApcDisable
Arg4: ffffce041b27eaa0, Call type (0 - system call, 1 - worker routine)

[...]

STACK_TEXT:  
ffffce04`1b27e8d8 fffff805`1e22bf29     : 00000000`00000001 00007ffe`109f0374 00000000`00000000 00000000`0000fffe : nt!KeBugCheckEx
ffffce04`1b27e8e0 fffff805`1e22bde9     : ffffe70f`155ac080 00000000`00000000 00000000`0000003f ffffe70f`00000000 : nt!KiBugCheckDispatch+0x69
ffffce04`1b27ea20 00007ffe`109f0374     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceExitPico+0x3ad
0000008c`13cfeed8 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffe`109f0374


SYMBOL_NAME:  nt!KiSystemServiceExitPico+3ad

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

IMAGE_VERSION:  10.0.22621.4169

Windows 11 version: 10.0.22631.4169
Avast version: 24.9.6130 (build 24.9.9452.875)
Signature version: 240926-2

Hello TD11,

what is configuration of your Dev Drive volume? Please provide output of the command:

fsutil.exe devdrv query X:

assuming your Dev Drive is X. It must be executed as admin.

Thank you

Here’s the filter configuration:


This is a trusted developer volume.

Developer volumes are protected by antivirus filter.

Filters currently attached to this developer volume:
    aswMonFlt

Allowing the sandbox filter to attach to dev drives fixed the problem:

fsutil devdrv setFiltersAllowed aswsnx

But IMO CyberCapture should be toggleable on dev drives.

Thank you. Having aswSnx attached to a Dev Drive kinda denies purpose of the Dev Drive: to avoid FS filter processing to improve performance.
We will of course fix the crash ASAP.