VirusScan enterprise events do not parse with SQL Server 2019, and when the compatibility level is set to 150.

The system used VSE 8.8 Patch 14 extensions: 8.8.0.732 and 1.2.0.452. For more information, see KB51111.

The EventParser_systemname.log records the following errors:

X    #05988    EVNTPRSR    source\server.cpp(1015): Processing <VirusDetectionEvent>, C:\PROGRA~2\McAfee\EPOLIC~1\DB\Events\61fe5a53-eee4-443f-957a-7c69e0b1ccb9-mc_20200413035946291795200000E98.txml.
X    #05988    EPODAL      ePOData_Connection.cpp(590): ssl Authenticate mode is 1
E    #05988    VseBll      DAL->ExecQuery failed. hr=80004005
E    #05988    EVNTPRSR    source\server.cpp(1064): COM Error 0x80004005, source=(null), desc=(null), msg=Unspecified error
I    #05988    EVNTPRSR    Requeueing C:\PROGRA~2\McAfee\EPOLIC~1\DB\Events\61fe5a53-eee4-443f-957a-7c69e0b1ccb9-mc_20200413035946291795200000E98.txml for retry
X    #05988    EVNTPRSR    source\server.cpp(1015): Processing <VirusDetectionEvent>, C:\PROGRA~2\McAfee\EPOLIC~1\DB\Events\61fe5a53-eee4-443f-957a-7c69e0b1ccb9-mc_20200413035946291795200000E98.txml.
X    #05988    EPODAL      ePOData_Connection.cpp(590): ssl Authenticate mode is 1
E    #05988   VseBll      DAL->ExecQuery failed. hr=80004005
E    #05988    EVNTPRSR    source\server.cpp(1064): COM Error 0x80004005, source=(null), desc=(null), msg=Unspecified error
E    #05988    EVNTPRSR    source\server.cpp(1128): Failed to process file C:\PROGRA~2\McAfee\EPOLIC~1\DB\Events\61fe5a53-eee4-443f-957a-7c69e0b1ccb9-mc_20200413035946291795200000E98.txml, XML file error count 1


The ERROR.log records the following errors: (Default: C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\LOG\)

spid70      Stack Signature for the dump is 0x00000000215601CF
spid70      Dump request is dismissed (stack signature 0x00000000215601CF).
Server      Error: 17310, Severity: 20, State: 1.
Server      A user request from the session with SPID 70 generated a fatal exception. SQL Server is terminating this session. Contact Product Support Services with the dump produced in the log directory.
spid70      CImageHelper::Init () Version-specific dbghelp.dll is not used
spid70      ***Stack Dump being sent to C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\LOG\SQLDump0019.txt
spid70      SqlDumpExceptionHandler: Process 70 generated fatal exception c0000005 EXCEPTION_ACCESS_VIOLATION. SQL Server is terminating this process.
spid70      * *******************************************************************************
spid70      *
spid70      * BEGIN STACK DUMP:
spid70      *   04/13/20 04:53:55 spid 70
spid70      *
spid70      *
spid70      *   Exception Address = 00007FF907AA1205 Module(sqllang+0000000000221205)
spid70      *   Exception Code    = c0000005 EXCEPTION_ACCESS_VIOLATION
spid70      *   Access Violation occurred reading address 0000000000000028
spid70      * Input Buffer 510 bytes -
spid70      *             Exec VSE_InsertVirusDetectionEvent @AgentGUID='5774a602-7d22-
spid70      *  11ea-3510-005056aca64b',@UserName=N'CDA\cdaauto',@MachineName=N'771W10RS
spid70      *  4X6401',@OSName=N'Windows 8 Workstation',@IPAddress=N'10.26.97.153',@Tim
spid70      *  eZoneBias=420,@ProductFamily=N'TVD',@ProductName=N'VirusScan Enterprise'
spid70      *  ,@ProductVersion=N'8.8',@ScannerType=N'OAS',@TaskName=N'OAS',@EngineVers
spid70      *  ion=N'6010.8670',@DATVersion=N'9589.0000',@LocalTime={ts '2020-04-13 03:
spid70      *  59:46'},@UTCTime={ts '2020-04-13 10:59:46'},@lEventID=1278,@Severity=3,@
spid70      *  FileName=N'C:\Users\cdaauto\Desktop\sahas.com',@VirusName=N'Installation
spid70      *   Check',@lVirusType=6,@szVirusType=N'test',@SensitivityLevel=N'_',@Sourc
spid70      *  e=N'C:\Windows\System32\notepad.exe',@MD5=N'0d69e58385c4e47aa0ab6bd4983a
spid70      *  7f89'

The SQLDump0019.txt records the following errors: (Default: C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\LOG\)

SQL Server is terminating this process.                                                                                      
****************************************
*                                                                                                                
* BEGIN STACK DUMP:                                                                                              
*   04/13/20 03:03:38 spid 70                                                                                    
*                                                                                                                
*                                                                                                                
*   Exception Address = 00007FF907AA1205 Module(sqllang+0000000000221205)                                        
*   Exception Code    = c0000005 EXCEPTION_ACCESS_VIOLATION                                                      
*   Access Violation occurred reading address 0000000000000028                                                   
* Input Buffer 510 bytes -                                                                                       
*             Exec VSE_InsertVirusDetectionEvent @AgentGUID='5774a602-7d22-                                      
*  11ea-3510-005056aca64b',@UserName=N'CDA\cdaauto',@MachineName=N'771W10RS                                      
*  4X6401',@OSName=N'Windows 8 Workstation',@IPAddress=N'10.26.97.153',@Tim                                      
*  eZoneBias=420,@ProductFamily=N'TVD',@ProductName=N'VirusScan Enterprise'                                      
*  ,@ProductVersion=N'8.8',@ScannerType=N'OAS',@TaskName=N'OAS',@EngineVers                                      
*  ion=N'6010.8670',@DATVersion=N'9589.0000',@LocalTime={ts '2020-04-13 03:                                      
*  03:18'},@UTCTime={ts '2020-04-13 10:03:18'},@lEventID=1278,@Severity=3,@                                      
*  FileName=N'C:\Users\cdaauto\Desktop\rgc.com',@VirusName=N'Installation C                                      
*  heck',@lVirusType=6,@szVirusType=N'test',@SensitivityLevel=N'_',@Source=                                      
*  N'C:\Windows\System32\notepad.exe',@MD5=N'0d69e58385c4e47aa0ab6bd4983a7f                                      
*  89'                                                                                                           
*                                                                                                                

The exception.log records the following errors: (Default: C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\LOG\)

spid 70 Exception 0xc0000005 EXCEPTION_ACCESS_VIOLATION reading address 0000000000000028 at 0x00007FF907AA1205


The SQLDUMPER_ERRORLOG.log records the following errors:

ACTION,  sqlservr.exe, Location of module 'dbghelp.dll' : 'C:\Windows\SYSTEM32\dbghelp.dll'
ACTION,  sqlservr.exe, File version of module 'C:\Windows\SYSTEM32\dbghelp.dll' : '6.2:17763.1'
ACTION,  sqlservr.exe, Product version of module 'C:\Windows\SYSTEM32\dbghelp.dll' : '10.0:17763.1'
ACTION,  sqlservr.exe, Location of module 'sqldumper.exe' : 'C:\Program Files\Microsoft SQL Server\150\Shared\SQLDUMPER.EXE'
ACTION,  sqlservr.exe, File version of module 'C:\Program Files\Microsoft SQL Server\150\Shared\SQLDUMPER.EXE' : '2019.150:2000.5'
ACTION,  sqlservr.exe, Product version of module 'C:\Program Files\Microsoft SQL Server\150\Shared\SQLDUMPER.EXE' : '15.0:2000.5'
ACTION,  sqlservr.exe, Send_To_Watson flag is set to true
ACTION,  sqlservr.exe, Watson Invoke: Yes
ACTION,  sqlservr.exe, Creating WER report...
ACTION,  sqlservr.exe, Created the report.
ACTION,  sqlservr.exe, WerReportAddFile Mini Dump succeeded.
ACTION,  sqlservr.exe, WerReportAddFile SQLDumpFile succeeded, SQLDumpFileName: C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\LOG\SQLDump0019.txt.
ACTION,  sqlservr.exe, WerReportAddFile Log Tail File succeeded.
ACTION,  sqlservr.exe, Submitting WER report...
ACTION,  sqlservr.exe, Submitted report asynchronously.