7 Replies Latest reply on Dec 1, 2010 12:40 AM by vinoo

    Getsusp Application error/crash

      I've seen this occur twice (once using .81 and once using .118). I can't track down the cause either time. It appeared while scanning files, approximately 14% in. Strangely enough, if I run the scan again it works fine.

       

      Event Type:    Error
      Event Source:    Application Error
      Event Category:    None
      Event ID:    1000
      Date:        02/11/2010
      Time:        12:22:56 PM
      User:        N/A
      Computer:   
      Description:
      Faulting application getsusp.exe, version 0.0.0.0, faulting module , version 0.0.0.0, fault address 0x00000000.
      Data:
      0000: 41 70 70 6c 69 63 61 74   Applicat
      0008: 69 6f 6e 20 46 61 69 6c   ion Fail
      0010: 75 72 65 20 20 67 65 74   ure  get
      0018: 73 75 73 70 2e 65 78 65   susp.exe
      0020: 20 30 2e 30 2e 30 2e 30    0.0.0.0
      0028: 20 69 6e 20 20 30 2e 30    in  0.0
      0030: 2e 30 2e 30 20 61 74 20   .0.0 at
      0038: 6f 66 66 73 65 74 20 30   offset 0
      0040: 30 30 30 30 30 30 30 0d   0000000.
      0048: 0a                        .     

       

      What diagnostic steps can I perform to assist with working out the error?

        • 1. Re: Getsusp Application error/crash
          vinoo

          Hi Malcolm,

           

          Thanks for reporting.

           

          Are you encountering the crash while doing a manual scan or remote scan via ePO/PSEXEC?

           

          What is the OS? Does it happen on only 1 machine or you've seen it on multiple machines?

           

          Are any xml or scan logs created by GetSusp post the crash? Could you mail us the logs if they got created?

           

          We've come across an issue in the past where the scan froze while scanning a particular file - but no crash was observed.

           

          Best,
          Vinoo

          • 2. Re: Getsusp Application error/crash

            Local scan. Have only seen it on one machine (WIn XP Pro SP3).

             

            Cannot replicate at will - it just has happened. I'll try and reproduce it again and provide more information.

            • 3. Re: Getsusp Application error/crash

              Ok, it just happened again.

               

              First run of the software (deleted the Opt file and logs etc).

               

              Even though it's crashed (~18%), the scan is continuing. Did seem to occur just after an Unknown file was scanned and reported.

               

              The file wa:

              UNKNOWN390da388f196ff67588d7493282a8e9eC:\Program  Files\Notes85\Data\workspace\.config\org.eclipse.osgi\bundles\1457\1\.cp\os\win 32\x86ActivityMonitor.dllAInternational Business Machines  CorporationActivityMonitor1, 0, 1, 21, 0, 1, 228,67209/03/2010 10:5509/03/2010 10:55Module

               

              Deleted the opt file etc and re-scanned, and the scan is successful.

               

               

              Message was edited by: mjmurra on 3/11/10 9:24:08 AM
              • 4. Re: Getsusp Application error/crash

                Ok, here's some more information on what I have found:

                 

                - Does seem to be more prevalent where the scan is the first scan after rebooting the computer.

                - And it's the first time it has been run (ie the opt file/logs are removed).

                - I leave all settings at their default, and don't add in my proxy information.

                - Artemis would work over DNS, but there is no direct connection to McAfee GTI.

                 

                Sometimes the scan continues after the crash, so the logs aren't beneficial. In each occasion, the following event is logged:

                 

                Event Type:    Error
                Event Source:    Application Error
                Event Category:    None
                Event ID:    1000
                Date:        03/11/2010
                Time:        11:30:34 AM
                User:        N/A
                Computer:   
                Description:
                Faulting application getsusp.exe, version 0.0.0.0, faulting module , version 0.0.0.0, fault address 0x00000000.
                Data:
                0000: 41 70 70 6c 69 63 61 74   Applicat
                0008: 69 6f 6e 20 46 61 69 6c   ion Fail
                0010: 75 72 65 20 20 67 65 74   ure  get
                0018: 73 75 73 70 2e 65 78 65   susp.exe
                0020: 20 30 2e 30 2e 30 2e 30    0.0.0.0
                0028: 20 69 6e 20 20 30 2e 30    in  0.0
                0030: 2e 30 2e 30 20 61 74 20   .0.0 at
                0038: 6f 66 66 73 65 74 20 30   offset 0
                0040: 30 30 30 30 30 30 30 0d   0000000.
                0048: 0a                        .     

                 

                 

                Have not tried on other computers to replicate this scenario.

                • 5. Re: Getsusp Application error/crash
                  vinoo

                  Thanks for the info. We ran several scans on ActivityMonitor.dll (md5:390da388f196ff67588d7493282a8e9e) but no crash was observed on our end. The team will continue to try and replicate the crash.

                   

                  ActivityMonitor.dll has been added to our whitelist. Give it ~20 mins - it should not come up as unknown henceforth.

                  1 of 1 people found this helpful
                  • 6. Re: Getsusp Application error/crash

                    I've run Getsusp (via EPO) on about 1000 machines, and have seen this occur again on some of them.So it's definately an issue I'm seeing in my prod environment.

                     

                    In some cases the .zip is created, but the XML is corrupt, in others the XML starts but the task doesn't complete etc.

                     

                    Is there any further information I can give to help work out why/where it might be crashing out?

                    • 7. Re: Getsusp Application error/crash
                      vinoo

                      We haven't been able to replicate this issue in-house. Don't have any leads on this yet

                       

                      A dev build of GetSusp with the -ePO switch is available and currently undergoing QA. We should be able to share this version with you next week.