Beech Horn

That line looks like the example from:
https://docs.microsoft.com/en-us/previous-versions/windows/hardware/code-signing/dn756632(v=vs.85)#user-mode-and-kernel-mode-code-troubleshooting
With the signing levels being:
0x0: Unchecked 0x1: Unsigned 0x2: Enterprise 0x3: Custom 1 0x4: Authenticode 0x5: Custom 2 0x6: Store 0x7: Custom 3 / Antimalware 0x8: Microsoft 0x9: Custom 4 0xa: Custom 5 0xb: Dynamic Code Generation 0xc: Windows 0xd: Windows Protected Process Light 0xe: Windows TCB 0xf: Custom 6 It looks like you are requesting all DLLs to be higher than (or more likely equal to) 0x7 (Antimalware) and this DLL is actually 0x1 (Unsigned).
THE FOLLOWING IS THEORY AND SHOULD NOT BE CONSIDERED ACCURATE
To me, it looks like NOD32 is loading the DLLs into its own service when running as a Protected Service rather than scanning them without loading it into memory in a manner unlike a library (e.g. without running the code or injecting the DLL into the service).
On top of this sqlnclir11.rll should be reported as 0x8 instead of 0x1 by Microsoft, which is in itself a problem.
If we look at 0x4 (Authenticode) this would also trigger that error but could be legitimate signed code which gets blocked due to the way NOD32 is scanning when running as a Protected Service.

We had the same issue and have downgraded EFS to 6.5.12010.0.  Will stay in that version until the problem is fixed.

same problem here.  Same observation with disabling automatic exclusions.
No update on this post?

You can disable automatic exclusions completely or only for desired applications in the advanced setup. Installed applications are detected automatically so the list may look differently on your server:

Hi,
as marcos noted this error is logged when automatic exclusions for Microsoft SQL server are enabled. Automatic exclusions for Microsoft SQL server are using ADO API to read information from "sys.master_files" table to get list of files to exclude from scanning. The ADO API obviously loads a DLL that is not signed.
As a workaround, automatic exclusions for Microsoft SQL server can be disabled.

I am also seeing this error on a Windows Server with MS SQL Server 2012 Express LocalDB (ver. 11.4.7469.6) and MS SQL Server 2012 Native Client (ver. 11.4.7001.0) that were installed with MS Azure AD Connect ver. 1.1.888.0.
BTW, sqlnclir11.rll is not a DLL but a RLL file explained here:
https://docs.microsoft.com/en-us/sql/relational-databases/native-client/applications/components-of-sql-server-native-client
I do not understand why ekrn service, that works as a protected service, needs to load sqlnclir11.rll file.

What's the workaround on this? It's causing client software crashes in one of our environments. Uninstalling ESET off of the server got rid of the above mentioned error and the frequent disconnects. Can we whitelist this process somehow?