Windows Agent crashes when also using Sophos Anti Virus with Heap Corruption error

Document ID : KB000084712
Last Modified Date : 14/04/2018
Show Technical Document Details
Error Message :
U0022022 Process '' ended, exit code='3221226356'.

Windows Agents running against various versions crash. Agent stops without any error message. Logs stop without further explanation. SMGR-Log shows:
U0022012 Process 'AUTOMIC1' (ID '1234') ended.
U0022022 Process 'AUTOMIC1' ended, exit code='3221226356'.

Errors of this type have been reported  by many users, all of which were using Sophos Anti Virus software as well.
The crashes are sporadic and the messages similar to this are displayed:

Exitcode='3221226356' -> 0xC0000374 Heap Corruption.

After analyzing the Crash dump file, you will see swi_ifslsp, or swi_ifslsp_64 at the Callstack, which is a Sophos dll.
This by itself does not prove that Sophos is causing the issue. However, the common denominator in all cases is that Sophos Anti Virus software is being used on the machines where the Agent is installed when the issue is encountered.  If Sophos is uninstalled, the Agent no longer crashes.

Additionally, similar issues have been reported with Sophos as shown below when the issue is googled:

The following snippet of the Callstack can be provided to Sophos Support to further investigate this issue.  This snippet shows that Sophos sends something at the same time that the Automic Agent accepts something.   According to our developers, this is not expected behavior.
0012f6d4 7c82a124 00900748 0012f908 7c82a0b8 ntdll!ExpInterlockedPopEntrySListFault
0012f6e0 7c82a0b8 00900748 77e620e0 01114008 ntdll!RtlAllocateHeap+0x14e 
0012f908 71c02734 00900000 00000000 00000018 ntdll!RtlAllocateHeap+0xe2 
0012f91c 71c042db 00000018 77e620e0 0012f984 ws2_32!WSASend+0x304
<== Here is the SEND from Sophos
0012f930 6fa4b324 00902728 000004f4 0012f984 ws2_32!socket+0x1cf 
0012f954 71c11024 000000fc 0012f9f0 0012f9e8 swi_ifslsp!GetLspGuid+0x9a84 
0012f988 71c112c2 000000fc 0012f9f0 0012f9e8 ws2_32!WSAAccept+0x85 
0012f9a4 0046439c 000000fc 0012f9f0 0012f9e8 ws2_32!accept+0x17 
0012f9c4 0043b312 01575d30 0012f9f0 0012f9e8 UCXJWI3!CAsyncSocket::Accept+0x38
<== Here is our ACCEPT from Automic
0012fb4c 00463ee1 00000000 00c47b68 001542c0 UCXJWI3!CExSocket::OnAccept+0xc2 
0012fc70 0046416b 000000fc 00000008 00000008 UCXJWI3!CAsyncSocket::DoCallBack+0xad
0012fc88 00464294 0046c525 000000fc 00000008 UCXJWI3!CSocket::ProcessAuxQueue+0x35
0012fc8c 0046c525 000000fc 00000008 c3637bb7 UCXJWI3!CSocketWnd::OnSocketNotify+0x17
0012fd28 00467961 00000373 000000fc 004bf7e0 UCXJWI3!CWnd::OnWndMsg+0x4f4 
0012fd48 0046a525 00000373 000000fc 00000008 UCXJWI3!CWnd::WindowProc+0x22 
0012fdb0 0046a5ac 00000000 1822007a 00000373 UCXJWI3!AfxCallWndProc+0x9a 
0012fdd0 7739b6e3 1822007a 00000373 000000fc UCXJWI3!AfxWndProc+0x34 
0012fdfc 7739b874 0046a578 1822007a 00000373 user32!LoadCursorW+0x4cf5 
0012fe74 7739ba92 0015a04c 0046a578 1822007a user32!LoadCursorW+0x4e86 
0012fedc 773a16e5 001595f8 00000001 00000000 user32!TranslateMessageEx+0x10d 
0012feec 00461451 001595f8 001595f8 0051c9c0 user32!DispatchMessageA+0xf 
0012fefc 0046103d 0051c9c0 0051c9c0 0012ffc0 UCXJWI3!AfxInternalPumpMessage+0x3e
0012ff18 004b769c 00000ece 00000002 00000001 UCXJWI3!CWinThread::Run+0x54 
0012ff28 0048e131 00400000 00000000 001524ce UCXJWI3!AfxWinMain+0x68 
0012ffc0 77e6f23b 00000000 00000000 7ffd9000 UCXJWI3!__tmainCRTStartup+0x177 
0012fff0 00000000 0048e19a 00000000 78746341 kernel32!ProcessIdToSessionId+0x209
OS: Windows
OS Version: N/A
Cause type:
Root Cause: Incompatibilty between Windows Agent and Sophos Anti-virus software.
Contact Sophos Support and report the error.


Fix Status: No Fix

Fix Version(s):
Additional Information:
Workaround :
  1. Disable Sophos Anti-Virus Web Intelligence on the Windows Agents, see the Automic Community post, Solving Agent Crashes by selective De-Sophosimization (PSA) for additional details.
  1. ​Install another Anit-Virus Software program.

Automic Community Discussions: