Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 25 replies
  • Subscribers 1 subscriber
  • Views 30684 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Crash - Chrome

minimoo
Hello,
Just wondering if anyone else is aware of the sophos web intelligence module seemingly crashing within google chrome:
 
Faulting application name: chrome.exe, version: 0.0.0.0, time stamp: 0x4d490687
Faulting module name: swi_filter_0001.dll, version: 1.0.5.0, time stamp: 0x4ca1f9cb
Exception code: 0xc0000005
Fault offset: 0x00014915
Faulting process id: 0x1920
Faulting application start time: 0x01cbc55d3a55a1c0
Faulting application path: C:\Users\Paul\AppData\Local\Google\Chrome\Application\chrome.exe
Faulting module path: C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_filter_0001.dll
Report Id: 5d749190-3153-11e0-9750-001a92782b5b

Faulting application name: chrome.exe, version: 0.0.0.0, time stamp: 0x4d490687

Faulting module name: swi_filter_0001.dll, version: 1.0.5.0, time stamp: 0x4ca1f9cbException code: 0xc0000005

Fault offset: 0x00014915

Faulting process id: 0x1920

Faulting application start time: 0x01cbc55d3a55a1c0

Faulting application path: C:\Users\Paul\AppData\Local\Google\Chrome\Application\chrome.exe

Faulting module path: C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_filter_0001.dll

Report Id: 5d749190-3153-11e0-9750-001a92782b5b

FAULTING_IP: 

swi_filter_0001!HTTPFilterBlockPageBytesProcessed+124e5

70084915 8a1a            mov     bl,byte ptr [edx]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)

ExceptionAddress: 70084915 (swi_filter_0001!HTTPFilterBlockPageBytesProcessed+0x000124e5)

   ExceptionCode: c0000005 (Access violation)

  ExceptionFlags: 00000000

NumberParameters: 2

   Parameter[0]: 00000000

   Parameter[1]: 068f5000

Attempt to read from address 068f5000

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
044ff5fc 700846fe 0632cff8 068f5000 ffffffff swi_filter_0001!HTTPFilterBlockPageBytesProcessed+0x124e5
044ff618 7008484d ffffffff 0632ced0 7007fa73 swi_filter_0001!HTTPFilterBlockPageBytesProcessed+0x122ce
044ff624 7007fa73 0632ce60 044ff710 0632c580 swi_filter_0001!HTTPFilterBlockPageBytesProcessed+0x1241d
044ff634 70077ac4 068f3224 ffffffff 870d0489 swi_filter_0001!HTTPFilterBlockPageBytesProcessed+0xd643
044ff688 778f8a18 02d80000 00d80ca0 00000000 swi_filter_0001!HTTPFilterBlockPageBytesProcessed+0x5694
044ff6c8 02d80ad0 044ff7c0 778f2e5e 02d80138 ntdll!RtlpDeCommitFreeBlock+0x9a
044ff710 70071f0c 068f3000 870d0519 00000000 0x2d80ad0
044ff7d8 72611fc2 0632c580 068f3000 00000223 swi_filter_0001!HTTPFilterRecvFromServer+0x4c
00000000 00000000 00000000 00000000 00000000 swi_lsp+0x1fc2
:8837


This thread was automatically locked due to age.
  • 0

    Stop those services: 

    •  Sophos Web Intelligence Service
    •  Sophos Web Intelligence Update


    It will correct your problem.
    It appears that this bug comes with the v.10 and the web filter Sophos protocoles. By stopping this two services, you will stop this "problematic web filtering scanner".

    This solution is temporary  pending solution or fix from Sophos.

    Best regards

    :20237
  • 0

    Hi,


    Cadocomp, it's interesting to hear your theory about your iPrism content filter having an effect on it.

    It would be interesting to get a log from a tool such as Fiddler (http://www.fiddler2.com/ ) with and then without the iPrism filter running, on the right side in Fiddler you can view the "Raw" data.  Be interesting to see if headers have anything to do with it?  How the 2 traces might differ.


    Regards,

    Jak 

    :20239
  • 0

    Ok, will do. I will upload the logs tomorrow morning, as I can't turn the iPrism on during business hours without problems.

    One more thing I forgot to mention. When the iPrism is on with SAV 10, many websites running on Port 80 do not load, while sites on 443 load fine. (Taking iPrism offline fixes this, OR keep iprism online and removing Sophos also fixes this).

    :20241
  • 0

    Ok, here are our before and after logs:

    http://www.mediafire.com/?tl83wmosqm7c0pt,3uf95yaar1vmhyi

    I set a GPO to disable the Sophos Web Intelligence Service and things work fine with that disabled. I enabled it just on my computer and turned the iPrism on this morning, and things seem to be working today, which is kind of odd. Hope those logs help.

    Sophos support want me to renable the wen filter policy, push to clients, and then disable it again. (I do not want to do that and go through that headache again). 

    :20271
  • 0

    I too am getting the similar issues...

    Currently Environment:

    SEC 5

    Endpoint Sec 10

    Windows 7 x64

    I only discovered this issue today, with Web Protection enabled I didn't see any crashes but instead saw poor ping times across the network, access to sites with it enabled returned pings over 180ms.

    It was only when I disabled "Download Scanning" that my ping issues vanished but crashing then appeared...

    When Download scanning is "As on Access" or "ON" all browsers (IE, FF, GC) work fine but loading pages is considerably slower, I then disabled this and page viewing was then great but crashing on all browsers became apparent...

    Disabling the Sophos Web Intelligence Service is a quick fix but I would rather not have to mess around with services.

    I would like for it to be enabled, not increase ping from 10ms to 180ms and to not crash!

    :20285
  • 0

    It's crashing Chrome and Frontmotion for us. I've had to uninstall it pending a fix. I can't push it to 20,000 clients and stop services on all those clients so that they do not lock up on Chrome.

    Specifically it crashes when I attempt to go to our helpdesk page which is running on a KACE box. 

    :20315
  • 0

    Hello,

    We are currently investigating a number of similar reports of browser crashes related version 10.0. There are a couple of fixes that we have identified that will be included, subject to testing, in version 10.0.1 which is due for release later in January. Hopefully this release will solve the problems you have experienced too.

    Thanks for using Sophos Endpoint and for contributing to the SophosTalk community.

    Regards

    Richard Baldry

    Product Manager - Endpoint Web Filtering

    Sophos

    :20393
  • 0

    Thanks for the update, hopefully this will cure the issues being seen.

    Lee

    :20561
  • 0

    Hi Richard

    We are running 10.0.1 and still have the issue with the Web Intelligence service causing Chrome to crash, is there something else we need to do?

    Regards

    Alex

    :22247
  • 0

    Hi,

    Creating a process dump at the point Chrome crashes and creating a Support ticket is your best bet.

    If you download ProcDump from Sysinternals (http://technet.microsoft.com/en-us/sysinternals/dd996900 ) then run in an administrative command prompt:


    procdump -ma -e [PID of the Chrome process that crashes] C:\chrome.dmp

    Hopefully when you get a crash C:\chrome.dmp will be written.  To identify the PID of the require Chrome.exe process (modern browsers with all their processes makes this required) you should be able to use the following command in Chrome:

    chrome://memory-redirect/

    Regards,

    Jak

    :22249