Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 21 replies
  • Answers 2 answers
  • Subscribers 6 subscribers
  • Views 56766 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos 10 swi_filter.dll crash

jkillebrew

We just deployed SAV 10 to a small group of users today and immediately complaints started rolling in regarding Firefox and IE crashing, or at least in IE just a tab crashing. I am able to consistently recreate the problem on Firefox and multiple versions of IE on various Windows 32 adn 64 bit platforms. The most consistent way to make it crash is to try look at the web interface for our Cisco WLAN controller and view the properties of a wireless AP. (I know that may seem obscure or mean nothing to most of you). All crashes seems to be on pages with a lot of javascript or other fancy stuff, so is pretty much a deal breaker for us. Rolling back to 9.7 now.

The windows application log shows the following:

Faulting application name: iexplore.exe, version: 9.0.8112.16421, time stamp: 0x4d76255d

Faulting module name: swi_filter.dll, version: 3.1.6.0, time stamp: 0x4eb90ba4

Exception code: 0xc0000005

Fault offset: 0x0001c120

Faulting process id: 0x1038

Faulting application start time: 0x01ccbf993dcaf516

Faulting application path: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Faulting module path: C:\ProgramData\Sophos\Web Intelligence\swi_filter.dll

and then:

Fault bucket 2703348986, type 1

Event Name: APPCRASH

Response: Not available

Cab Id: 0

Problem signature:

P1: iexplore.exe

P2: 9.0.8112.16421

P3: 4d76255d

P4: swi_filter.dll

P5: 3.1.6.0

P6: 4eb90ba4

P7: c0000005

P8: 0001c120

P9:

P10:

:20099


This thread was automatically locked due to age.
  • 0

    HI,

    Do you have a machine with 10 on to test something with?

    If you do, could you do as follows. I've noticed a crash once in Chrome, not seen it since, but I'd be interested to see if it's the same problem.  To do so:

    1. Download Windbg

    http://msdn.microsoft.com/en-us/windows/hardware/gg463009


    2. Once you've installed Windbg you should be able to run for example:
    "C:\Program Files\Debugging Tools for Windows (x64)\windbg.exe" -I

    This will register Windbg as the default post-motem debugger. Essentially setting the key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug \

    3. Reproduce the problem.

    4. At the exception, Windbg.exe should launch and attach to the crashing process.

    5. Click on the "View - Call Stack".

    6. Can you provide the text for the stack?

    Regards,

    Jak



     

    :20103
  • 0

    Similar experience this morning on a server 2008 machine trying to access an internal site. I had to disable the web control service in order to restore access in our production environment. I am currently unable to reproduce in my test environment, but the site that was experiencing the error simply will not open on my test machine with the web control services enabled. It never even times out, just sits there "loading" forever.

    Log Name:      Application
    Source:        Application Error
    Date:          12/21/2011 9:56:26 AM
    Event ID:      1000
    Task Category: (100)
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      xen-app604.wataugamc.org
    Description:
    Faulting application name: iexplore.exe, version: 8.0.7600.16869, time stamp: 0x4e4f21db
    Faulting module name: swi_filter.dll, version: 3.1.6.0, time stamp: 0x4eb90ba4
    Exception code: 0xc0000005
    Fault offset: 0x0001c120
    Faulting process id: 0x3010
    Faulting application start time: 0x01ccbff05a0707f3
    Faulting application path: C:\Program Files (x86)\Internet Explorer\iexplore.exe
    Faulting module path: C:\ProgramData\Sophos\Web Intelligence\swi_filter.dll
    Report Id: f4375ec5-2be3-11e1-885a-005056895402
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Application Error" />
        <EventID Qualifiers="0">1000</EventID>
        <Level>2</Level>
        <Task>100</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2011-12-21T14:56:26.000000000Z" />
        <EventRecordID>560774</EventRecordID>
        <Channel>Application</Channel>
        <Computer>xen-app604.wataugamc.org</Computer>
        <Security />
      </System>
      <EventData>
        <Data>iexplore.exe</Data>
        <Data>8.0.7600.16869</Data>
        <Data>4e4f21db</Data>
        <Data>swi_filter.dll</Data>
        <Data>3.1.6.0</Data>
        <Data>4eb90ba4</Data>
        <Data>c0000005</Data>
        <Data>0001c120</Data>
        <Data>3010</Data>
        <Data>01ccbff05a0707f3</Data>
        <Data>C:\Program Files (x86)\Internet Explorer\iexplore.exe</Data>
        <Data>C:\ProgramData\Sophos\Web Intelligence\swi_filter.dll</Data>
        <Data>f4375ec5-2be3-11e1-885a-005056895402</Data>
      </EventData>
    </Event>

    :20115
  • 0

    I do not know if this relates to your situation, but I have found that websites containing many active-x controls, cab downloads, etc, will cause errors or simply not load if you do not have on-access scanning enabled, and download scannign as "on" or "as on-access".

    These servers that I was having issues with we were not using on-access scanning for performance reasons. They are provisioned XenApp servers that host our web based applications. Once I enabled a limited form of on-access scanning (on rename only), with download scanning set to "as on-access", I seem to be getting no more errors. 

    :20117
  • 0

    For me, the problem happens while on-access scanning is enabled, and we have it set to "on read" only.

    I am trying to install windbg but the sdk actually fails to download some of the compontents over http while on-access scanning is enabled and more dll errors are thrown. I'll try to post something once I work around that.

    We have had this exact same problem a long while ago with some version of 9.5 i think, but it was fixed a few revs later. This seems worse however, with far more web pages affected. I also get a lot of random crashes on pages that have any javascript, and consistent crashes on pages with heave amounts of scripting including many of the web based management consoles for our HP, Cisco, and Novell systems.

    :20121
  • 0

    For information, when I get the crash in Chrome I get the following:



    Setting Windbg as the post-mortem debugger as mentioned above it shows:

    Access violation - code c0000005 (!!! second chance !!!)

    and the module:function in trouble seems to be:
    swi_filter!HTTPFilterIsEos

    When I get the problem in IE, Windbg launches, I run the command:

    !analyze -v

    and it fingers:swi_filter!HTTPFilterIsEos again.

    If anyone else is able to do the same and confirm the same function failing this would at least suggest we're seeing the same problem.

    Regards,

    Jak

    :20125
  • 0

    Correction, I thought my on-access settings had correct the problem. At least, they seemed to for some hours. This morning I had users complaining of access problems, and saw the same behavior as yesterday. I have currently disabled the web control services to restore access for these users.

    :20157
  • 0

    I have VS2010 on my system so I'm not sure if this is exactly what the stack is you want to see, but hopefully this helps.

    Unhandled exception at 0x7434c120 in iexplore.exe: 0xC0000005: Access violation reading location 0x0000001c.

    Call stack location:

    swi_filter.dll!7434c120()

    this corresponds to:

    7434C120  cmp         esi,dword ptr [edi+14h]

    which contains:

            ESI    00000000   
            EDI    00000008   
            EBX    122D6800   
            CL    00   
            AL    60   
            EAX    0A541360   

    I do not have any web control enabled.

    :20223
  • 0

    Exactly the same in google chome except the stack contains this instead:

            ESI    00000000   
            EDI    00000008   
            EBX    0D786C70   
            CL    00   
            AL    48   
            EAX    05FC8A48   

    It crashes firefox too, but I cannot easily get the debug info because firefox has its own exception handler. Safari does not appear to be affected because none of the same websites crashed in safari.

    :20225
  • 0

    EVen though we have the website scanning/downloading turned off on Sophos, it still seems to crash browsers if the content filter is on. I don't think they have a fix for this yet. I have a case open with them, and they have been getting SDU logs from clients, and the Console server. I noticed that if we turn OFF our iPrism content filter appliance on our network, this issue seems to go away. (I haven't tested for long, but inital tests show this to be true.

    :20231
  • 0

    Stop those services: 

    •  Sophos Web Intelligence Service
    •  Sophos Web Intelligence Update


    It will correct your problem.
    It appears that this bug comes with the v.10 and the web filter Sophos protocoles. By stopping this two services, you will stop this "problematic web filtering scanner".

    This solution is temporary  pending solution or fix from Sophos.

    Best regards

    :20235
Unfiltered HTML