VirusScan Enterprise events are not parsed with SQL 2019 compatibility level (150)
Technical Articles ID:
KB92701
Last Modified: 11/24/2020
Environment
McAfee ePO Orchestrator (ePO) 5.10.x
McAfee VirusScan Enterprise (VSE) 8.8.x
Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64)
Problem
VirusScan enterprise events do not parse with SQL Server 2019, and when the compatibility level is set to 150.
The system used VSE 8.8 Patch 14 extensions: 8.8.0.732 and 1.2.0.452. For more information, see KB51111.
The EventParser_systemname.log records the following errors:
X #05988 EVNTPRSR source\server.cpp(1015): Processing <VirusDetectionEvent>, C:\PROGRA~2\McAfee\EPOLIC~1\DB\Events\61fe5a53-eee4-443f-957a-7c69e0b1ccb9-mc_20200413035946291795200000E98.txml.
X #05988 EPODAL ePOData_Connection.cpp(590): ssl Authenticate mode is 1
E #05988 VseBll DAL->ExecQuery failed. hr=80004005
E #05988 EVNTPRSR source\server.cpp(1064): COM Error 0x80004005, source=(null), desc=(null), msg=Unspecified error
I #05988 EVNTPRSR Requeueing C:\PROGRA~2\McAfee\EPOLIC~1\DB\Events\61fe5a53-eee4-443f-957a-7c69e0b1ccb9-mc_20200413035946291795200000E98.txml for retry
X #05988 EVNTPRSR source\server.cpp(1015): Processing <VirusDetectionEvent>, C:\PROGRA~2\McAfee\EPOLIC~1\DB\Events\61fe5a53-eee4-443f-957a-7c69e0b1ccb9-mc_20200413035946291795200000E98.txml.
X #05988 EPODAL ePOData_Connection.cpp(590): ssl Authenticate mode is 1
E #05988 VseBll DAL->ExecQuery failed. hr=80004005
E #05988 EVNTPRSR source\server.cpp(1064): COM Error 0x80004005, source=(null), desc=(null), msg=Unspecified error
E #05988 EVNTPRSR source\server.cpp(1128): Failed to process file C:\PROGRA~2\McAfee\EPOLIC~1\DB\Events\61fe5a53-eee4-443f-957a-7c69e0b1ccb9-mc_20200413035946291795200000E98.txml, XML file error count 1
The ERROR.log records the following errors: (Default: C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\LOG\)
spid70 Stack Signature for the dump is 0x00000000215601CF
spid70 Dump request is dismissed (stack signature 0x00000000215601CF).
Server Error: 17310, Severity: 20, State: 1.
Server A user request from the session with SPID 70 generated a fatal exception. SQL Server is terminating this session. Contact Product Support Services with the dump produced in the log directory.
spid70 CImageHelper::Init () Version-specific dbghelp.dll is not used
spid70 ***Stack Dump being sent to C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\LOG\SQLDump0019.txt
spid70 SqlDumpExceptionHandler: Process 70 generated fatal exception c0000005 EXCEPTION_ACCESS_VIOLATION. SQL Server is terminating this process.
spid70 * *******************************************************************************
spid70 *
spid70 * BEGIN STACK DUMP:
spid70 * 04/13/20 04:53:55 spid 70
spid70 *
spid70 *
spid70 * Exception Address = 00007FF907AA1205 Module(sqllang+0000000000221205)
spid70 * Exception Code = c0000005 EXCEPTION_ACCESS_VIOLATION
spid70 * Access Violation occurred reading address 0000000000000028
spid70 * Input Buffer 510 bytes -
spid70 * Exec VSE_InsertVirusDetectionEvent @AgentGUID='5774a602-7d22-
spid70 * 11ea-3510-005056aca64b',@UserName=N'CDA\cdaauto',@MachineName=N'771W10RS
spid70 * 4X6401',@OSName=N'Windows 8 Workstation',@IPAddress=N'10.26.97.153',@Tim
spid70 * eZoneBias=420,@ProductFamily=N'TVD',@ProductName=N'VirusScan Enterprise'
spid70 * ,@ProductVersion=N'8.8',@ScannerType=N'OAS',@TaskName=N'OAS',@EngineVers
spid70 * ion=N'6010.8670',@DATVersion=N'9589.0000',@LocalTime={ts '2020-04-13 03:
spid70 * 59:46'},@UTCTime={ts '2020-04-13 10:59:46'},@lEventID=1278,@Severity=3,@
spid70 * FileName=N'C:\Users\cdaauto\Desktop\sahas.com',@VirusName=N'Installation
spid70 * Check',@lVirusType=6,@szVirusType=N'test',@SensitivityLevel=N'_',@Sourc
spid70 * e=N'C:\Windows\System32\notepad.exe',@MD5=N'0d69e58385c4e47aa0ab6bd4983a
spid70 * 7f89'
The SQLDump0019.txt records the following errors: (Default: C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\LOG\)
SQL Server is terminating this process.
****************************************
*
* BEGIN STACK DUMP:
* 04/13/20 03:03:38 spid 70
*
*
* Exception Address = 00007FF907AA1205 Module(sqllang+0000000000221205)
* Exception Code = c0000005 EXCEPTION_ACCESS_VIOLATION
* Access Violation occurred reading address 0000000000000028
* Input Buffer 510 bytes -
* Exec VSE_InsertVirusDetectionEvent @AgentGUID='5774a602-7d22-
* 11ea-3510-005056aca64b',@UserName=N'CDA\cdaauto',@MachineName=N'771W10RS
* 4X6401',@OSName=N'Windows 8 Workstation',@IPAddress=N'10.26.97.153',@Tim
* eZoneBias=420,@ProductFamily=N'TVD',@ProductName=N'VirusScan Enterprise'
* ,@ProductVersion=N'8.8',@ScannerType=N'OAS',@TaskName=N'OAS',@EngineVers
* ion=N'6010.8670',@DATVersion=N'9589.0000',@LocalTime={ts '2020-04-13 03:
* 03:18'},@UTCTime={ts '2020-04-13 10:03:18'},@lEventID=1278,@Severity=3,@
* FileName=N'C:\Users\cdaauto\Desktop\rgc.com',@VirusName=N'Installation C
* heck',@lVirusType=6,@szVirusType=N'test',@SensitivityLevel=N'_',@Source=
* N'C:\Windows\System32\notepad.exe',@MD5=N'0d69e58385c4e47aa0ab6bd4983a7f
* 89'
*
The exception.log records the following errors: (Default: C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\LOG\)
spid 70 Exception 0xc0000005 EXCEPTION_ACCESS_VIOLATION reading address 0000000000000028 at 0x00007FF907AA1205
The SQLDUMPER_ERRORLOG.log records the following errors:
ACTION, sqlservr.exe, Location of module 'dbghelp.dll' : 'C:\Windows\SYSTEM32\dbghelp.dll'
ACTION, sqlservr.exe, File version of module 'C:\Windows\SYSTEM32\dbghelp.dll' : '6.2:17763.1'
ACTION, sqlservr.exe, Product version of module 'C:\Windows\SYSTEM32\dbghelp.dll' : '10.0:17763.1'
ACTION, sqlservr.exe, Location of module 'sqldumper.exe' : 'C:\Program Files\Microsoft SQL Server\150\Shared\SQLDUMPER.EXE'
ACTION, sqlservr.exe, File version of module 'C:\Program Files\Microsoft SQL Server\150\Shared\SQLDUMPER.EXE' : '2019.150:2000.5'
ACTION, sqlservr.exe, Product version of module 'C:\Program Files\Microsoft SQL Server\150\Shared\SQLDUMPER.EXE' : '15.0:2000.5'
ACTION, sqlservr.exe, Send_To_Watson flag is set to true
ACTION, sqlservr.exe, Watson Invoke: Yes
ACTION, sqlservr.exe, Creating WER report...
ACTION, sqlservr.exe, Created the report.
ACTION, sqlservr.exe, WerReportAddFile Mini Dump succeeded.
ACTION, sqlservr.exe, WerReportAddFile SQLDumpFile succeeded, SQLDumpFileName: C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\LOG\SQLDump0019.txt.
ACTION, sqlservr.exe, WerReportAddFile Log Tail File succeeded.
ACTION, sqlservr.exe, Submitting WER report...
ACTION, sqlservr.exe, Submitted report asynchronously.
Cause
The issue is at SQL Server 2019 base version. It fails when it performs an internal function on binary concatenation.
Solution
The issue is resolved in SQL Server 2019 Cumulative Update 6 (CU6).
Workaround
To get the events parsed, change the SQL compatibility Level to SQL 2017(140). Perform the following steps:
- Open the Microsoft SQL Server Management Studio, and expand the Databases.
- Select ePO_Database, right-click, and select Properties.
- Click the Options tab under the Compatibility Level. Click the drop-down list, and select SQL 2017(140).
Events are parsed after the compatibility level is changed to SQL2017(140).
X #06648 EPODAL ePOData_Connection.cpp(590): ssl Authenticate mode is 1
X #06648 EVNTPRSR source\server.cpp(1015): Processing <VirusDetectionEvent>, C:\PROGRA~2\McAfee\EPOLIC~1\DB\Events\61fe5a53-eee4-443f-957a-7c69e0b1ccb9-mc_20200413035946291795200000E98.txml.
X #06648 EPODAL ePOData_Connection.cpp(590): ssl Authenticate mode is 1
I #06648 EVNTPRSR Succeeded <VirusDetectionEvent>, C:\PROGRA~2\McAfee\EPOLIC~1\DB\Events\61fe5a53-eee4-443f-957a-7c69e0b1ccb9-mc_20200413035946291795200000E98.txml.
|