Thread Info
  • Locked Locked
  • Replies 1 reply
  • Subscribers 14 subscribers
  • Views 23626 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cygwin Development Environment vs. Intercept X

Leo Fridley

Would like to report an issue between Sophos Intercept X and Cygwin

(Thanks to an engineer at my organization for helping to provide this content)

Wikipedia_Cygwin

Cygwin is a popular environment that provides UNIX/POSIX functionality on Windows computers.  Development tools vendors often use this environment, since it allows them to provide both Linux and Windows versions of their development tools. Xilix tools include Cygwin as well.

Development tools using Cygwin (or MinGW/MSYS which are minimal distributions of Cygwin) fail with errors shown below.  So far, I have seen these failures with the following development tools:
1) DDC-I OpenArbor (uses Cygwin)
2) Microsemi SoftConsole (uses MinGW)

To reproduce the problem:
1. If "DDC-I OpenArbor" is not already running:
a) launch "DDC-I OpenArbor" shortcut on desktop
b) click "OK" (Select a workspace dialog -> "C:\OpenArbor\training")
2. From "Project" menu, select "Clean..." and click "OK" (Clean all projects)
3. Watch the "DDC-I Console" window at the bottom of the screen for messages like these:
0 [main] make (5376) C:\DDC-I\bin\make.exe: *** fatal error - cygheap base mismatch detected - 0x612AA970/0xE4A970.
This problem is probably due to using incompatible versions of the cygwin DLL.
Search for cygwin1.dll using the Windows Start->Find/Search facility
and delete all but the most recent version. The most recent version *should*
reside in x:\cygwin\bin, where 'x' is the drive on which you have
installed the cygwin distribution. Rebooting is also suggested if you
are unable to find another cygwin DLL.

Cause:

We believe the cause of this issue is due to the memory locations used by both Cygwin and Intercept.  Both products rely on the higher address memory locations when loading data to memory.  As a test we found that unloading certain sophos services would eliminate the interference, but there was no way using the Settings to turn off this conflict.  In other words, simply "allowing" all security parameters did not seem to bypass the processes that use these high-address memory locations.  

Here's the list of Sophos libraries loaded in high address space that conflict with Cygwin:

C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sophos_detoured.dll
C:\Windows\SysWOW64\hmpalert.dll

If sophos_detoured.dll library is associated with a single less critical part of Sophos, that would be a preferred service to stop. Assuming that unloading sophos_detoured.dll solves the conflict with Cygwin - to be verified.



This thread was automatically locked due to age.

  • The Sophos_detours.dll module, and sophos_detoured_x64.dll for 64-bit processes, is loaded using the appinit_dlls (support.microsoft.com/.../working-with-the-appinit-dlls-registry-value) registry key(s).  It is used to implement buffer overflow protection and it is also used in Data Control.  

    You can prevent the SAV installer (custom action RegisterBufferOverflowProtection) from adding the Appinit_dll keys by creating the following key/string value:

    64-bit computers:
    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\SetupOptions]
    "DetourDLLState"="excluded"

    32-bit computers:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SAVService\SetupOptions]
    "DetourDLLState"="excluded"

    Regards,
    Jak

Unfiltered HTML