Sophos blocking Skype For Business / Lync

I am currently troubleshooting an issue with the Lync 2013/SfB 2015 client crashing.

Working through various information online, I came across an interesting article regarding registered layered service providers

https://social.technet.microsoft.com/Forums/en-US/7bb40d9c-78a0-4169-a0f2-ef293c87939f/skype-for-business-2015-crashed-right-after-making-audio-calljoin-meeting?forum=ocsclients

I ran the netsh winsock show catalog, and found one of these relating to the Sophos web filter service swi_ifslsp.dll.

I am deleting the dll as a test on a couple of clients as the article suggests, to see if that prevents this from occurring.

The issue you are facing is slightly different, but as this relates to the web filter and your symptoms suggest a connectivity issue, I thought I would share.

Hello, I wouldn't suggest just deleting the LSP Dlls.  If the entries for Sophos are still in the Winsock catalog and the files don't exist, when a process makes a Winsock call they won't be loaded but I'm not sure of the behaviour but it could be unpredictable.

To unload the Sophos LSPs from Winsock, I would suggest to disable the following features on the endpoint:

1. Web Control (may not be in use)

2. Download scanning + block access to malicious websites.  (these can be found under Configure - Anti-Virus-Web protection)

With all 3 features disabled there is nothing for the LSP to do so it will be unloaded from Winsock on the next system restart.  It is deferred to the next reboot by:

1. A registry key (hklm\software\[wow6432node]\sophos\web intelligence\) called swiupdateaction is set to 3.

2. When the Sophos Web Intelligence Update service is started (at next boot) it sees the new action key with a value of 3 and removes the LSP from the catalog.

It's done early at reboot to prevent too many applications that use Winsock from loading in the LSP before it can be removed.  You may even need to restart twice to guarantee that all processes on the system haven't loaded the LSP but typically not required as the update service is part of an early start group.

Note: you can just start the swiupdate service once the swiupdateaction key is there and the LSP will be removed.  As all the opened applications that use Winsock already have it loaded you need to start restarting processes etc.. So it might be as easy to reboot.

With the LSP removed ("netsh winsock show catalog" to prove it.) does the application work?

If you enable just one of the above 3 features the LSP will be put back and you can see it return in the catalog.

The LSP is only uses up to Windows 7/2008 R2, for Windows 8 and 2012+, the LSP is replaces by a WFP callout driver.

To troubleshoot this, I would suggest making Procdump (https://technet.microsoft.com/en-gb/sysinternals/dd996900.aspx) the default postmortem debugger on a test computer by running:
procdump -ma -i c:\dumps
Note: Create the C:\dumps directory manually.

Reproduce the problem and you should have a full dump of the crashing processes memory.

Then install Windbg as part of the Debugging Tools for Windows which is part of the SDK (https://dev.windows.com/en-us/downloads/windows-10-sdk).

Configure Sysmbols - https://msdn.microsoft.com/en-gb/library/windows/desktop/ee416588(v=vs.85).aspx

Then open the crash dump file in Windbg and run:

!analyze -v

This might give you a clue as to what the failing stack/thread was doing.  Hoprefully the function names are quite descriptive and points you in the right direction.

Failing this, the dump file should be useful for Sophos Support as a starting point. 

Note: The -u switch will remove the registry keys that makes procdump the default postmortem dubugger.

Regards,

Jak

Jak,

I have not yet tried any debugging, but I disabled the download +malicious site scanning as suggested above (web control was already disabled) and for the past 2 weeks I have had next to no crashes. Nothing else on the network has changed, no updates have been rolled out to the Lync software.