Generic Crash error is entered into the SPE logs at the time scanning requests were briefly interrupted
search cancel

Generic Crash error is entered into the SPE logs at the time scanning requests were briefly interrupted

book

Article ID: 386090

calendar_today

Updated On:

Products

Protection Engine for Cloud Services

Issue/Introduction

Through any given day the Symantec Protection Engine (SPE) service is crashed as many as 12 times or more. The service quickly recovered and would continue scanning but not before external requests were cleared and errors were returned from the application side causing users trying to upload or access files to complain.

The SPE event logs would have a a series of events, in the SPE logs, similar to the following when the crash occurred:

 

DateUTC                Event    Event Severity

11/25/2024 12:20    Crash    Error
11/25/2024 12:20    Startup    Information
11/25/2024 12:20    Version Information

Environment

Protection Engine 9.x, Rocky Linux 9

Cause

An examination of the crash dump, recorded by the OS, pointed to the Stargate engine being unable to parse a URL with URLInsight enabled.  At least one document being passed in to be scanned (individually or within a container file) contained one or more URLs, embedded within it, which could not be parsed byStargate for URL Insight Scanning.

The following excerpt of the dump shows where the crash occurred.

(gdb) bt
#0  0x00007f30bf7da74b in BCWF::URL::Url::ParseUrl(char const*, int) () from /opt/SYMCScan/bin/definitions/Stargate/data/../bin/symplatform/libspeng.so.1.13.0.105
#1  0x00007f30bf792ac0 in BCWF::BUFF::UrlRequestData::Impl::Impl(char const*, int) () from /opt/SYMCScan/bin/definitions/Stargate/data/../bin/symplatform/libspeng.so.1.13.0.105
#2  0x00007f30bf792b4e in BCWF::BUFF::UrlRequestData::UrlRequestData(char const*, int) () from /opt/SYMCScan/bin/definitions/Stargate/data/../bin/symplatform/libspeng.so.1.13.0.105
#3  0x00007f30bf5bbfc5 in std::make_unique<BCWF::BUFF::UrlRequestData, char const*> () at /usr/local/include/c++/5.4.0/bits/unique_ptr.h:765
#4  star::webpulse::CBuffQuery::LookupSync (this=0x7f2d7638dd90) at /home/<USER>/webpulse-1.6.0-1.6.0-workspace/dev/webpulse_engine/buff_query_impl.cpp:144
#5  0x00007f30bf5b96e5 in easycon::shared_task<void ()>::operator()<>() (this=0x7f2d7638de60) at /home/<USER>/.conan/data/star_platform/1.13.0/star/cpp/package/315b6ec305604c1d4ef46f0a7ff7b83dc4809264/private/utilities/easycon.h:788
#6  0x00007f30bf5b9852 in easycon::weak_task_ptr<void ()>::operator()<>() const (this=<optimized out>) at /home/<USER>/.conan/data/star_platform/1.13.0/star/cpp/package/315b6ec305604c1d4ef46f0a7ff7b83dc4809264/private/utilities/easycon.h:861
#7  0x00007f30bf5b9523 in easycon::pool_executor::run (this=0x7f306861ed70, i=1) at /home/<USER>/.conan/data/star_platform/1.13.0/star/cpp/package/315b6ec305604c1d4ef46f0a7ff7b83dc4809264/private/utilities/easycon_executors.h:295
#8  0x00007f30e90bbee0 in ?? ()
#9  0x0000000000000000 in ?? ()
 

Resolution

An examination of the document containing the offending URL would need to be acquired in order to reduce the crash to a root cause. 

As a workaround consider disabling URLInsight scanning.

 

/opt/SYMCScan/bin/xmlmodifier -s //policies/ThreatPolicies/URLInsight/@enabled false /opt/SYMCScan/bin/policy.xml

/etc/init.d/symcscan restart