Starting Dec 21st we started seeing a tremendous amount of errors on both our Server Infrastructure and Endpoint devices. This created issues with certain .NET related applications on end users workstations that required restarting various applications. One application particularly troublesome was Mimecast For Outlook. Upon investigating we found that the only resolution to fix these errors was to completely remove Sophos (obviously that's not a solution nor a risk we're willing to take).
Sample Errors -
28-12-2020 09:07:41,964 ERROR  HOST: Domain Unhandled Exception: System.IO.IOException: The pipe is being closed.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.Pipes.NamedPipeServerStream.BeginWaitForConnection(AsyncCallback callback, Object state)
at Mimecast.Mapi.Remote.NamedPipesServer.AcceptPipeConnection(IAsyncResult asyncResult)
at System.IO.Pipes.NamedPipeServerStream.AsyncWaitForConnectionCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* pOverlapped)
at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* pOVERLAP). IsTerminating: True (Program)
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.IO.IOException
at System.IO.__Error.WinIOError(Int32, System.String)
at System.IO.Pipes.NamedPipeServerStream.AsyncWaitForConnectionCallback(UInt32, UInt32, System.Threading.NativeOverlapped*)
at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32, UInt32, System.Threading.NativeOverlapped*)
Is anyone else seeing this? We'll certainly open a Ticket with support but wanted to also understand the scope.
Hello. We have also observed the same behavior within our organization. The Mimecast for Outlook plugin specifically crashes and provides logs just like ignitor's.
After doing some sleuthing, it appears…
New Update from support; :D"The issue you are experiencing here caused by our MTR service has been acknowledged by development and a fix is being pushed out momentarily which should resolve this for you. I shall update you once the release is complete."
Thanks. Yes i have had this confirmation (below) that it is now fixed, I have asked for clarification about why they ask to disable controlled update. My PC must have already updated and the Mimecast issue now fixed. I suggest you test your other apps that have been affected after applying the update.
The reported issue has been addressed from backend by sophos . MTR query pack has been updated on next update you will receive it. (please disable control update in central if enabled ) Now you should perform sophos update and check whether .net / Mimecast is crashing or not on system
They mentioned the controlled update function because some folks disable updates via this function; they were just saying to make sure you have controlled updates off so systems get the update. Did the version(s) of the various components in the endpoint agent change? I don't think mine have, we have:
Core Agent: 2.10.8
Endpoint Advanced: 10.8.9.2
Intercept X: 2.0.18
CTO, Convergent Information Security Solutions, LLC
Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
My version is the same as yours. Understood.
Hello Paul, Did you contact Mimecast to report their process can be killed by osquery and a query to the pipes table? I think they would be interested to fix it.
If you follow up with your Mimecast ticket, you could say that the msddsk.exe process has the named pipe MCSPIPE-1.
If the CreateFile API is called to access this pipe the process will crash as it is here:osquery/pipes.cpp at 4cf19f29c2508cc5821b82017029da0ada16f9e1 · osquery/osquery (github.com)A simpler repro for the crash is to call the PS one liner:Get-ChildItem \\.\pipe\ -Filter "MCSPIPE-1" | select VersionInfo
Hope it helps.
I guess they might be a bit busy to reply. I assume no updates?