I run McAfee ( I have no choice - it's a work laptop!), and it stops Xobni from running because a buffer overflow is detected.

Does anyone else have this issue, and have a solution? I emailed a problem report to Xobni a few weeks ago, but didn't receive an acknowledgment so I don't even know if this is registered as an issue.

Windows XP SP2
Outlook 11 SP3
McAfee 8
Latest Xobni

I'm getting a Buffer Overflow detection with Cisco Security Agent as well.

I reinstalled Xobni yesterday (February 12, 2008), after I checked and found a new version 1.2.3.2804. Outlook.exe is using 159MB of memory, where as with the previous version I used from January 29th used over 300MB's and was completely unstable. Without Xobni outlook reports using 30 to 70MB of memory.

Running Windows XP SP2, Outlook 2003 SP2.

I have on my Corporate PC Cisco Security Agent v5.2.0.245. Periodically I get a popup and have to tell it that it is ok. But if I leave my PC alone for an extended period of time, I typically return to have Outlook gone, having been closed by CSA. This requires that Outlook rebuild my PST folders and such, which takes forever. Looking at the CSA console, I have the following message logged:


2/13/2008 3:53:33 AM: The process 'C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE' (as user dprall) attempted to call the function ResetWriteWatch from a buffer (the return address was 0x10036897). The code at this address is '04000000 0f84b400 0000b984 b42609e8 91b7330b 8bf8b928 b52609e8 85b7330b 8945b48b d0a17cae 4c1c8d52 04e857dd e3698b45 b48d5704 e84cdde3 698b45c0' This either happens when a process uses self-modifying code or when a process has been subverted by a buffer overflow attack. The operation was denied and process terminated.

This does not happen with Xobni uninstalled.

I have the following Add-In's installed (few Disabled are marked):
Exchange Scan - Disabled
Google Desktop Search Outlook Addin - Disabled
ViewMail Extensions
Delegate Access
Deleted Item Recovery
MeetingPlace for Outlook
Exchange Extensions commands
Exchange Extensions property pages
Server Scripting - Disabled
XobniRdo Outlook Extension

Hey folks, just wanted to let you know that we are aware of this Buffer Overflow issue, and it should be addressed in the next major update of Insight.

In the meantime, you can disable the Buffer Overflow reporting in McAfee (not sure about your issue with Cisco, Dprall), and that should prevent this error from happening.

But we are actively working on that.

ps, Leon, sorry we haven't gotten back to you yet. We're really swamped at the moment, but will hopefully work through the backlog soon.

Thanks!

Tyler, Hopefully this fixes the same issue. I can't disable CSA since it is corporately controlled. But they allow me to determine on my own what is happening and allow it if necessary. Since Xobni isn't a corporate approved application, can't get the policy updated to correct this. I have more of the messages, if you'd like to see them. David

Hi Tyler,

Thanks for the response. Like dprall, I can't disable the buffer overflow detection either due to corporate controls. I tested Xobni out briefly by killing the virus scanner full stop, but I think that's apretty good way of getting fired if I do that and unleash a virus at work! Seems a great product - looking forward to the next version.

By the way... I said I'd be interested in new versions, but didn't get any notification of the most recent build - there may be something up with your mailing list.

Leon

To Leon and dprall,

What build of Xobni are you running? I know you said in your posts that you're running "the latest version", but there was an update recently to build 2804 and I want to make sure that you're referring to that build.

I'm asking because there was a possible fix for this issue in the newest build (the cause was a native .NET library), and I think we were hoping that this issue was fixed in build 2804.

Let me know if you're running build 2804, and still seeing this issue. Thanks!

-Ryan

Ryan, Yes latest build. Download it on the 12th. The buffer overflow messages that I receive are different from the ones I received previously. But, they continue.

David

Ok, I'll reopen this as a bug and we'll hopefully have a fix out for it in the next couple of releases. Sorry to hear that you're having this trouble!

Yep, 2804 over here too. I previously had 2645 I think (from memory).

A fix would be great - I'm dying to use this for an extended period of time!

Leon

I have a similar issue as dprall, but I noticed the following right below the same error he gets. This is where CSA is killing Outlook:

2008-03-18 13:41:09.281,Alert,"The process 'C:\Program Files\Xobni Insight\XobniService.exe' (as user NT AUTHORITY\SYSTEM) attempted to call the function AdjustPrivilegesToken from a buffer (the return address was 0xaf1b15). The code at this address is '85c07403 8d400450 ff76e4ff 7620c643 0800f643 045f7541 8b46088b 4014ff10 50e816e8 e17b8983 e4000000 58c64308 01833d2c 69387a00 752633c9 85c00f95' This either happens when a process uses self-modifying code or when a process has been subverted by a buffer overflow attack. The operation was denied and process terminated.","HACL_OVERFLOW_TERMINATE","","C:\Program Files\Xobni Insight\XobniService.exe",,,186,,,,"NT AUTHORITY\SYSTEM",,"(t-1205872869 n-281250000 z--25200 sc-13 dc-15 cd-558 p*(i-186 w-C:\Program%20Files\Xobni%20Insight\XobniService.ex e r*(type-17 time-1580 pnd-83889499 rid-83889468 rapi*(pid-3052 op-41 p*(ic-404 i-11475733 dc-402 d-fcmDd0iqea1*2r-*2bIXdHaa2pebFvxqlAeclcef*dbuOBb6HVxIdsoaaaawgpecb mypSKgo6bqDMmtYfc8dvc a-AdjustPrivilegesToken i-13820944 d-anaaaaaaaaa9PCqaaaaaaaaaaaaaaaaa0rU0aWf5sdqfB8kaan aaaaaaaaa9PCqaaaaaaaaaaaaaaaaal8fJrb a- ic-403 i-11475701 i-1048577 a-ADVAPI32!AdjustTokenPrivileges+0x1e%20%280x77dfc55 2%29:%20FS/0,32,4/4,36,8/%0a0xaf1b15:%20reporting%20frame%0a a-0xaf1b15\ADVAPI32!AdjustTokenPrivileges+0x1e d-baaaaqbaaaaaaaaacaaaaa ) cr-Owin32%00TNT%20AUTHORITY\SYSTEM%00t010100000000000 512000000%00GNT%20AUTHORITY\SYSTEM%00g010100000000 000512000000%00 cs-ADVAPI32=41107eaf,2,snfrt9fBDvutySBr1w88pi4LrrHaaa aaHrMDHbxAZiJlWrMyaa\ntdll=41107f17,2,snfrtv7xrzZq qtErrAVC67ck4bSaaaaaUrhzSXMlWrMyaa\\0xaf1b15\ADVAP I32!AdjustTokenPrivileges+0x1e\ntdll!NtAdjustPrivi legesToken+0xc\ntdll!KiFastSystemCall+0x9 ) ) ) )"

The interesting thing is that xobni is using the NT AUTHORITY/SYSTEM user and not the currently logged in user. This is why CSA seems to automatically terminate.

Hey folks, just wanted to let you know that we are aware of this Buffer Overflow issue, and it should be addressed in the next major update of Insight.

In the meantime, you can disable the Buffer Overflow reporting in McAfee (not sure about your issue with Cisco, Dprall), and that should prevent this error from happening.

But we are actively working on that.

ps, Leon, sorry we haven't gotten back to you yet. We're really swamped at the moment, but will hopefully work through the backlog soon.

Thanks!

@ All:

Hey folks, Ryan and Aamir have been looking into some of these Buffer Overflow issues that are being reported and it looks like the majority of the issues are with McAfee Enterprise 8.0.1 through 8.0.14.

They also found that McAfee issued a patch that claims to fix this Buffer Overflow problem, you can read about it here (see Issue #23):

https://knowledge.mcafee.com/article/988/1356755_f.SAL_Public.html

You are required to login to their 'Service Portal', but you can read the instructions here:

https://knowledge.mcafee.com/SupportSite/dynamickc.do?sliceId=SAL_Public&command=show&forward=nonthreadedKC&externalId=KB40531

Hopefully some of you that are experiencing this problem, can try downloading the patch and see if it fixes your system. For some of you this may require talking to your IT department, but it may be worth it (I mean, c'mon, we're talking about getting to keep using Xobni without problems ;))

Please post here if you're successful / unsuccessful in getting this patch to work. Thanks!!

ps, for those of you running into similar issues with Cisco Security Agent, we haven't found a solution, but it may be worth checking with Cisco to see if they have a similar fix for this type of problem.

It does appear that I am running patch version 13 which might be the problem. Unfortunately I can't overwrite it in the corporate environment as it will just get automatically re-downgraded. I am trying to find out if it is scheduled for deployment and will update this thread when I know more.

Thanks!

Gah.
The link to d/l the patch requires a new user registration that includes a "Grant #" field which is flagged as required, but I don't believe I have any such grant.

I'll keep digging.

I am also getting a buffer overflow report with McAfee VirusScan Enterprise 8.0.

I'm using the public beta of Xobni which was released this week. It worked fine for 2 days, but not today.

After having a number of issues with indexing freezes or failures typically coincident with McAfee identifying a buffer overflow, I right-clicked the McAfee icon and opened the VirusScan Console. I disabled buffer overflow (how bad is this?) and uninstalled and then reinstalled Xobni. This time after Outlook started the indexing was done for my Gigs of mail (and archives) in under 5 minutes--where it froze before--and it did "index all mail" in about the same time. Now a number of strange behaviors have cleared up including the sidebar disappearance, profile not changing, etc.

Remaining probs:
1. Buffer Overflow is off on McAfee. If the thread is correct, I just need to get the McAfee 8.5 version from IT.
2. Reminders come up late on startup.
3. Although Outlook still appears to be running if I try to close and takes a moment to start up.
4. Some slowness in switching between mail-calendar-contacts.
Hopefully some of this will be faster after it's done synching or whatever it is doing in the background now.

Even if some of the slow startup/shutdown behavior remains, the speed at which this works and the utility of Xobni to sift through gigs of mail within seconds is WAY WAY too valuable for me to think of dumping it.

For comparison:
Running Windows XP and Office 2003 with SP3 on a 3GHz/2G Ram box.
Email is Exchange with a massive inbox and archive running on a University Network with very high speed transfers. Using cached exchange mode (CAE).

I saw the same "call a system function from a buffer" warning from my Cisco Security Agent also.

I was using version 1.2.3.3640.

As others describe, this can't be turned off and results in Outlook crashing. The
suggestion to contact Cisco to get this fixed isn't likely to get you anywhere. Cisco
will just turn around (if you get their attention at all) and ask Xobni to prove that
their software isn't actually doing something malicious.

Any chance this was fixed in 1.2.3.3769?

For what its worth, we use McAfee Enterprise. When I have called McAfee about buffer overflow false positives in the past, McAfee Support has simply said turn off buffer overflow protection. The tech indicated it usually doesn't work correctly and the documented solution is to simply disable it.

Jeff

@ Skatefriday:

No, we have not made any changes on our end to handle McAfee and Cisco. Now that we've identified them as the source of the error, we've had to redirect our engineering efforts towards more pressing Xobni issues.

Ideally we'd like to get some of our developers down to McAfee to work with them towards fixing the issue, but unfortunately, that hasn't happened yet. Hopefully we can do that sometime soon.

Thanks!

Can you give whatever data and evidence you have that supports the
assertion that Cisco's Security Agent is incorrectly flagging the buffer
security risk and that your software is, in fact, benign in this regard?