VirusScan Enterprise events aren't parsed with SQL 2019 compatibility level (150)
Last Modified: 2023-03-17 08:24:05 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
VirusScan Enterprise events aren't parsed with SQL 2019 compatibility level (150)
Technical Articles ID:
KB92701
Last Modified: 2023-03-17 08:24:05 Etc/GMT Environment
ePO Orchestrator (ePO) 5.10.x VirusScan Enterprise (VSE) 8.8.x Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64) Problem
VSE events don't parse with SQL Server 2019 and when the compatibility level is set to 150. The system used The X #05988 EPODAL ePOData_Connection.cpp(590): ssl Authenticate mode is 1 E #05988 VseBll DAL->ExecQuery failed. hr=80004005 E #05988 EVNTPRSR source\server.cpp(1064): COM Error 0x80004005, source=(null), desc=(null), msg=Unspecified error E #05988 EVNTPRSR source\server.cpp(1128): Failed to process file C:\PROGRA~2\McAfee\EPOLIC~1\DB\Events\61fe5a53-eee4-443f-957a-7c69e0b1ccb9-mc_20200413035946291795200000E98.txml, XML file error count 1 In the log folder on the SQL server (Default: spid70 Dump request is dismissed (stack signature 0x00000000215601CF). Server Error: 17310, Severity: 20, State: 1. Server A user request from the session with SPID 70 generated a fatal exception. SQL Server is terminating this session. Contact Product Support Services with the dump produced in the log directory. spid70 CImageHelper::Init () Version-specific dbghelp.dll is not used spid70 ***Stack Dump being sent to C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\LOG\SQLDump0019.txt spid70 SqlDumpExceptionHandler: Process 70 generated fatal exception c0000005 EXCEPTION_ACCESS_VIOLATION. SQL Server is terminating this process. spid70 * ******************************************************************************* spid70 * spid70 * BEGIN STACK DUMP: spid70 * 04/13/20 04:53:55 spid 70 spid70 * spid70 * spid70 * Exception Address = 00007FF907AA1205 Module(sqllang+0000000000221205) spid70 * Exception Code = c0000005 EXCEPTION_ACCESS_VIOLATION spid70 * Access Violation occurred reading address 0000000000000028 spid70 * Input Buffer 510 bytes - spid70 * Exec VSE_InsertVirusDetectionEvent @AgentGUID='5774a602-7d22- spid70 * 11ea-3510-005056aca64b',@UserName=N'CDA\cdaauto',@MachineName=N'771W10RS spid70 * 4X6401',@OSName=N'Windows 8 Workstation',@IPAddress=N'10.26.97.153',@Tim spid70 * eZoneBias=420,@ProductFamily=N'TVD',@ProductName=N'VirusScan Enterprise' spid70 * ,@ProductVersion=N'8.8',@ScannerType=N'OAS',@TaskName=N'OAS',@EngineVers spid70 * ion=N'6010.8670',@DATVersion=N'9589.0000',@LocalTime={ts '2020-04-13 03: spid70 * 59:46'},@UTCTime={ts '2020-04-13 10:59:46'},@lEventID=1278,@Severity=3,@ spid70 * FileName=N'C:\Users\cdaauto\Desktop\sahas.com',@VirusName=N'Installation spid70 * Check',@lVirusType=6,@szVirusType=N'test',@SensitivityLevel=N'_',@Sourc spid70 * e=N'C:\Windows\System32\notepad.exe',@MD5=N'0d69e58385c4e47aa0ab6bd4983a spid70 * 7f89' Large numbers of dump files are created in the SQL server log folder called **************************************** * * BEGIN STACK DUMP: * 04/13/20 03:03:38 spid 70 * * * Exception Address = 00007FF907AA1205 Module(sqllang+0000000000221205) * Exception Code = c0000005 EXCEPTION_ACCESS_VIOLATION * Access Violation occurred reading address 0000000000000028 * Input Buffer 510 bytes - * Exec VSE_InsertVirusDetectionEvent @AgentGUID='5774a602-7d22- * 11ea-3510-005056aca64b',@UserName=N'CDA\cdaauto',@MachineName=N'771W10RS * 4X6401',@OSName=N'Windows 8 Workstation',@IPAddress=N'10.26.97.153',@Tim * eZoneBias=420,@ProductFamily=N'TVD',@ProductName=N'VirusScan Enterprise' * ,@ProductVersion=N'8.8',@ScannerType=N'OAS',@TaskName=N'OAS',@EngineVers * ion=N'6010.8670',@DATVersion=N'9589.0000',@LocalTime={ts '2020-04-13 03: * 03:18'},@UTCTime={ts '2020-04-13 10:03:18'},@lEventID=1278,@Severity=3,@ * FileName=N'C:\Users\cdaauto\Desktop\rgc.com',@VirusName=N'Installation C * heck',@lVirusType=6,@szVirusType=N'test',@SensitivityLevel=N'_',@Source= * N'C:\Windows\System32\notepad.exe',@MD5=N'0d69e58385c4e47aa0ab6bd4983a7f * 89' * Cause
The issue is in SQL Server 2019 base version. It fails when it performs an internal function on binary concatenation.
Solution
The issue is resolved in SQL Server 2019 Cumulative Update 6 (CU6) or above.
Workaround
Change the SQL compatibility Level to
Affected ProductsLanguages:This article is available in the following languages: |
|