Thanks for reporting.
Are you encountering the crash while doing a manual scan or remote scan via ePO/PSEXEC?
What is the OS? Does it happen on only 1 machine or you've seen it on multiple machines?
Are any xml or scan logs created by GetSusp post the crash? Could you mail us the logs if they got created?
We've come across an issue in the past where the scan froze while scanning a particular file - but no crash was observed.
Local scan. Have only seen it on one machine (WIn XP Pro SP3).
Cannot replicate at will - it just has happened. I'll try and reproduce it again and provide more information.
Ok, it just happened again.
First run of the software (deleted the Opt file and logs etc).
Even though it's crashed (~18%), the scan is continuing. Did seem to occur just after an Unknown file was scanned and reported.
The file wa:
UNKNOWN 390da388f196ff67588d7493282a8e9e C:\Program Files\Notes85\Data\workspace\.config\org.eclipse.osgi\bundles\1457\1\.cp\os\win 32\x86 ActivityMonitor.dll A International Business Machines Corporation ActivityMonitor 1, 0, 1, 2 1, 0, 1, 2 28,672 09/03/2010 10:55 09/03/2010 10:55 Module
Deleted the opt file etc and re-scanned, and the scan is successful.
Ok, here's some more information on what I have found:
- Does seem to be more prevalent where the scan is the first scan after rebooting the computer.
- And it's the first time it has been run (ie the opt file/logs are removed).
- I leave all settings at their default, and don't add in my proxy information.
- Artemis would work over DNS, but there is no direct connection to McAfee GTI.
Sometimes the scan continues after the crash, so the logs aren't beneficial. In each occasion, the following event is logged:
Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Time: 11:30:34 AM
Faulting application getsusp.exe, version 0.0.0.0, faulting module , version 0.0.0.0, fault address 0x00000000.
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 67 65 74 ure get
0018: 73 75 73 70 2e 65 78 65 susp.exe
0020: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0028: 20 69 6e 20 20 30 2e 30 in 0.0
0030: 2e 30 2e 30 20 61 74 20 .0.0 at
0038: 6f 66 66 73 65 74 20 30 offset 0
0040: 30 30 30 30 30 30 30 0d 0000000.
0048: 0a .
Have not tried on other computers to replicate this scenario.
1 of 1 people found this helpful
Thanks for the info. We ran several scans on ActivityMonitor.dll (md5:390da388f196ff67588d7493282a8e9e) but no crash was observed on our end. The team will continue to try and replicate the crash.
ActivityMonitor.dll has been added to our whitelist. Give it ~20 mins - it should not come up as unknown henceforth.
I've run Getsusp (via EPO) on about 1000 machines, and have seen this occur again on some of them.So it's definately an issue I'm seeing in my prod environment.
In some cases the .zip is created, but the XML is corrupt, in others the XML starts but the task doesn't complete etc.
Is there any further information I can give to help work out why/where it might be crashing out?
We haven't been able to replicate this issue in-house. Don't have any leads on this yet
A dev build of GetSusp with the -ePO switch is available and currently undergoing QA. We should be able to share this version with you next week.