1 Reply Latest reply on Feb 29, 2012 11:09 AM by tao

    RSSensor.exe crashing

    andrep1

      On multiple servers, we are seeing the Rogue System Sensor crashing intermitently, up to multiple times a day. I'm wondering if anyone had a similar experience or would have suggestions.

       

      Here are cleaned-up logs from one of the server.

      The following events are logged in the applicatin and system logs.

       

      Log Name:      Application

      Source:        Application Error

      Date:          2012-02-28 08:27:11 AM

      Event ID:      1000

      Task Category: (100)

      Level:         Error

      Keywords:      Classic

      User:          N/A

      Description:

      Faulting application RSSensor.exe, version 4.6.1.1192, time stamp 0x4e699fad, faulting module ScanDLL.dll, version 1.0.0.5, time stamp 0x49ee0f4c, exception code 0xc0000005, fault offset 0x0000ca12, process id 0x2424, application start time 0x01ccf56f2c7b6223.

       

      Log Name:      System

      Source:        Service Control Manager

      Date:          2012-02-28 08:27:17 AM

      Event ID:      7034

      Task Category: None

      Level:         Error

      Keywords:      Classic

      User:          N/A

      Description:

      The McAfee Rogue System Sensor service terminated unexpectedly.  It has done this 7 time(s).

       

      The rsdsensor_out.log shows a stoppage in logging then eventually the sensor restarts with the following in the logs. It shows the backup sensor has taken over:

       

      02-28-12 08:39:27,339 [11232] INFO RSDSensor <> - McAfee Rogue System Sensor 4.6.1.1192 Build 1192
      02-28-12 08:39:27,354 [11232] INFO RSDSensor <> - Sensor is executing from: C:\Program Files (x86)\McAfee\RSD Sensor\RSSensor.exe
      02-28-12 08:39:27,354 [11232] INFO RSDSensor <> - Initializing logger from config file at: C:\Program Files (x86)\McAfee\RSD Sensor\RSSensor_log.cfg
      02-28-12 08:39:27,417 [7988] INFO RSDSensor <> - Starting sensor (true_main)
      02-28-12 08:39:27,760 [7988] INFO RSDSensor <> - Searching for Sensor interfaces to bind to
      02-28-12 08:39:27,900 [7988] INFO RSDSensor <> - Found IP address: xx.xx.xx.xx on interface HP Network Team #1  with MAC address xx:xx:xx:xx:xx:xx.

      02-28-12 08:39:27,916 [7988] INFO RSDSensor <> - Calling pcap_findalldevs()...
      02-28-12 08:39:28,306 [7988] INFO RSDSensor <> - Successfully returned from pcap_findalldevs()... beginning loop through adapters.

      02-28-12 08:39:28,306 [7988] WARN RSDSensor <> - WinPcap did not return any IP addresses for device \Device\WPRO_41_2001_{083F2CCD-D677-441E-8FC1-4E4A30091D54}.

      02-28-12 08:39:28,306 [7988] WARN RSDSensor <> - WinPcap did not return any IP addresses for device \Device\WPRO_41_2001_{B5D80587-C701-46C9-85CA-310885386073}.

      02-28-12 08:39:28,306 [7988] WARN RSDSensor <> - WinPcap did not return any IP addresses for device \Device\WPRO_41_2001_{0C3935A2-C6E2-4D0E-9C99-BBC2AC0A7AE5}.

      02-28-12 08:39:28,306 [7988] WARN RSDSensor <> - WinPcap did not return any IP addresses for device \Device\WPRO_41_2001_{772D10EC-9220-4EBD-9BF2-B23E9D49A391}.

      02-28-12 08:39:28,306 [7988] INFO RSDSensor.ServerCom <> - Server communication initialized to URL: https://xx.xx.xx.xx:xxxx/rsdsensor/engine.sm

      02-28-12 08:39:28,321 [7988] INFO RSDSensor <> - Created a virtual sensor for xx.xx.xx.xx on interface Network Teaming Intermediate Driver (NTID).

      02-28-12 08:39:28,321 [7988] INFO RSDSensor <> - Starting 1 sensors.
      02-28-12 08:39:28,321 [7988] INFO RSDSensor <> - Virtual Sensors are loaded and ready to go
      02-28-12 08:39:28,321 [7988] INFO RSDSensor <> - Prep for sensor wait
      02-28-12 08:39:28,321 [7988] INFO RSDSensor <> - Begin sensor wait
      02-28-12 08:39:28,321 [11144] INFO RSDSensor <> - Virtual sensor 11144 initialized at network address: xx.xx.xx.xx on interface 'Network Teaming Intermediate Driver (NTID)'

      02-28-12 08:39:28,321 [11144] INFO RSDSensor.ServerCom <> - Sending data to the server at https://xx.xx.xx.xx:xxxx/rsdsensor/engine.sm

      02-28-12 08:39:29,148 [11144] WARN RSDSensor <> - Failover notification for virtual sensor 11144 on network xx.xx.xx.xx:

      The server has changed the failover status. Ceasing operation and going to sleep.