VirusScan Enterprise events aren't parsed with SQL 2019 compatibility level (150)
Technical Articles ID:
KB92701
Last Modified: 2023-03-17 08:24:05 Etc/GMT
Environment
ePO Orchestrator (ePO) 5.10.x
VirusScan Enterprise (VSE) 8.8.x
Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64)
Problem
VSE events don't parse with SQL Server 2019 and when the compatibility level is set to 150.
The system used VSE 8.8 Patch 14 extensions 8.8.0.732 and 1.2.0.452.
The EventParser_systemname.log records the following errors:
X #05988 EVNTPRSR source\server.cpp(1015): Processing <VirusDetectionEvent>, C:\PROGRA~2\McAfee\EPOLIC~1\DB\Events\61fe5a53-eee4-443f-957a-7c69e0b1ccb9-mc_20200413035946291795200000E98.txml.
X #05988 EPODAL ePOData_Connection.cpp(590): ssl Authenticate mode is 1
E #05988 VseBll DAL->ExecQuery failed. hr=80004005
E #05988 EVNTPRSR source\server.cpp(1064): COM Error 0x80004005, source=(null), desc=(null), msg=Unspecified error
E #05988 EVNTPRSR source\server.cpp(1128): Failed to process file C:\PROGRA~2\McAfee\EPOLIC~1\DB\Events\61fe5a53-eee4-443f-957a-7c69e0b1ccb9-mc_20200413035946291795200000E98.txml, XML file error count 1
In the log folder on the SQL server (Default: C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\LOG\) the ERROR.log records errors similar to the following:
spid70 Stack Signature for the dump is 0x00000000215601CF
spid70 Dump request is dismissed (stack signature 0x00000000215601CF).
Server Error: 17310, Severity: 20, State: 1.
Server A user request from the session with SPID 70 generated a fatal exception. SQL Server is terminating this session. Contact Product Support Services with the dump produced in the log directory.
spid70 CImageHelper::Init () Version-specific dbghelp.dll is not used
spid70 ***Stack Dump being sent to C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\LOG\SQLDump0019.txt
spid70 SqlDumpExceptionHandler: Process 70 generated fatal exception c0000005 EXCEPTION_ACCESS_VIOLATION. SQL Server is terminating this process.
spid70 * *******************************************************************************
spid70 *
spid70 * BEGIN STACK DUMP:
spid70 * 04/13/20 04:53:55 spid 70
spid70 *
spid70 *
spid70 * Exception Address = 00007FF907AA1205 Module(sqllang+0000000000221205)
spid70 * Exception Code = c0000005 EXCEPTION_ACCESS_VIOLATION
spid70 * Access Violation occurred reading address 0000000000000028
spid70 * Input Buffer 510 bytes -
spid70 * Exec VSE_InsertVirusDetectionEvent @AgentGUID='5774a602-7d22-
spid70 * 11ea-3510-005056aca64b',@UserName=N'CDA\cdaauto',@MachineName=N'771W10RS
spid70 * 4X6401',@OSName=N'Windows 8 Workstation',@IPAddress=N'10.26.97.153',@Tim
spid70 * eZoneBias=420,@ProductFamily=N'TVD',@ProductName=N'VirusScan Enterprise'
spid70 * ,@ProductVersion=N'8.8',@ScannerType=N'OAS',@TaskName=N'OAS',@EngineVers
spid70 * ion=N'6010.8670',@DATVersion=N'9589.0000',@LocalTime={ts '2020-04-13 03:
spid70 * 59:46'},@UTCTime={ts '2020-04-13 10:59:46'},@lEventID=1278,@Severity=3,@
spid70 * FileName=N'C:\Users\cdaauto\Desktop\sahas.com',@VirusName=N'Installation
spid70 * Check',@lVirusType=6,@szVirusType=N'test',@SensitivityLevel=N'_',@Sourc
spid70 * e=N'C:\Windows\System32\notepad.exe',@MD5=N'0d69e58385c4e47aa0ab6bd4983a
spid70 * 7f89'
Large numbers of dump files are created in the SQL server log folder called SQLDumpXXXX.txt where XXXX are numbers. These record the following errors:
SQL Server is terminating this process.
****************************************
*
* BEGIN STACK DUMP:
* 04/13/20 03:03:38 spid 70
*
*
* Exception Address = 00007FF907AA1205 Module(sqllang+0000000000221205)
* Exception Code = c0000005 EXCEPTION_ACCESS_VIOLATION
* Access Violation occurred reading address 0000000000000028
* Input Buffer 510 bytes -
* Exec VSE_InsertVirusDetectionEvent @AgentGUID='5774a602-7d22-
* 11ea-3510-005056aca64b',@UserName=N'CDA\cdaauto',@MachineName=N'771W10RS
* 4X6401',@OSName=N'Windows 8 Workstation',@IPAddress=N'10.26.97.153',@Tim
* eZoneBias=420,@ProductFamily=N'TVD',@ProductName=N'VirusScan Enterprise'
* ,@ProductVersion=N'8.8',@ScannerType=N'OAS',@TaskName=N'OAS',@EngineVers
* ion=N'6010.8670',@DATVersion=N'9589.0000',@LocalTime={ts '2020-04-13 03:
* 03:18'},@UTCTime={ts '2020-04-13 10:03:18'},@lEventID=1278,@Severity=3,@
* FileName=N'C:\Users\cdaauto\Desktop\rgc.com',@VirusName=N'Installation C
* heck',@lVirusType=6,@szVirusType=N'test',@SensitivityLevel=N'_',@Source=
* N'C:\Windows\System32\notepad.exe',@MD5=N'0d69e58385c4e47aa0ab6bd4983a7f
* 89'
*
Cause
The issue is in SQL Server 2019 base version. It fails when it performs an internal function on binary concatenation.
Solution
The issue is resolved in SQL Server 2019 Cumulative Update 6 (CU6) or above.
Workaround
Change the SQL compatibility Level to SQL 2017(140). Perform the following steps:
- Open the Microsoft SQL Server Management Studio, and expand the Databases.
- Select the main ePO database, right-click, and select Properties.
- Click the Options tab under the Compatibility Level.
- Click the drop-down list and select SQL 2017(140).
- Repeat this process for the ePO events database.
Events are parsed after the compatibility level is changed to SQL2017(140).
|