EFS 7.0.12014.0 - MSSQL ERROR

[Marcos 5,071]

Anti-Malware Services are part of Window 8.1 and Windows 10 itself, it's not our service. We merely utilize it.
In Windows 8.1, a new concept of protected service has been introduced to allow anti-malware user-mode services to be launched as a protected service. After the service is launched as protected, Windows uses code integrity to only allow trusted code to load into the protected service. Windows also protects these processes from code injection and other attacks from admin processes. (https://docs.microsoft.com/en-us/windows/desktop/services/protecting-anti-malware-services-)

You can post your sqlnclir11.rll and we will check Microsoft's signature if Windows AM Services should accept it and allow it to be loaded into protected services.

[Beech Horn 1]

5 minutes ago, Marcos said:

Anti-Malware Services are part of Window 8.1 and Windows 10 itself, it's not our service. We merely utilize it.
In Windows 8.1, a new concept of protected service has been introduced to allow anti-malware user-mode services to be launched as a protected service. After the service is launched as protected, Windows uses code integrity to only allow trusted code to load into the protected service. Windows also protects these processes from code injection and other attacks from admin processes. (https://docs.microsoft.com/en-us/windows/desktop/services/protecting-anti-malware-services-)

You can post your sqlnclir11.rll and we will check Microsoft's signature if Windows AM Services should accept it and allow it to be loaded into protected services.

Attached.

sqlnclir11.zip

[Marcos 5,071]

Thank you, I have passed it to a developer. Will keep you posted.

Last time we checked the rll file (not sure if 100% same), the file did not have a valid signature:

[\Device\HarddiskVolume1\Windows\System32\1033\sqlnclir11.rll]:[\Device\HarddiskVolume1\Program Files\ESET\ESET Security\ekrn.exe] 0x7 > 0x1

******************************************************************

This break indicates this binary is not signed correctly: \Device\HarddiskVolume1\Windows\System32\1033\sqlnclir11.rll

and does not meet the system policy.

The binary was attempted to be loaded in the process: \Device\HarddiskVolume1\Program Files\ESET\ESET Security\ekrn.exe

This is not a failure in CI, but a problem with the failing binary.

Please contact the binary owner for getting the binary correctly signed.

*****************************************************************

[Beech Horn 1]

1 hour ago, Marcos said:

Thank you, I have passed it to a developer. Will keep you posted.

Last time we checked the rll file (not sure if 100% same), the file did not have a valid signature:

[\Device\HarddiskVolume1\Windows\System32\1033\sqlnclir11.rll]:[\Device\HarddiskVolume1\Program Files\ESET\ESET Security\ekrn.exe] 0x7 > 0x1

******************************************************************

This break indicates this binary is not signed correctly: \Device\HarddiskVolume1\Windows\System32\1033\sqlnclir11.rll

and does not meet the system policy.

The binary was attempted to be loaded in the process: \Device\HarddiskVolume1\Program Files\ESET\ESET Security\ekrn.exe

This is not a failure in CI, but a problem with the failing binary.

Please contact the binary owner for getting the binary correctly signed.

*****************************************************************

1

That line looks like the example from:

https://docs.microsoft.com/en-us/previous-versions/windows/hardware/code-signing/dn756632(v=vs.85)#user-mode-and-kernel-mode-code-troubleshooting

With the signing levels being:

• 0x0: Unchecked
• 0x1: Unsigned
• 0x2: Enterprise
• 0x3: Custom 1
• 0x4: Authenticode
• 0x5: Custom 2
• 0x6: Store
• 0x7: Custom 3 / Antimalware
• 0x8: Microsoft
• 0x9: Custom 4
• 0xa: Custom 5
• 0xb: Dynamic Code Generation
• 0xc: Windows
• 0xd: Windows Protected Process Light
• 0xe: Windows TCB
• 0xf: Custom 6

It looks like you are requesting all DLLs to be higher than (or more likely equal to) 0x7 (Antimalware) and this DLL is actually 0x1 (Unsigned).

THE FOLLOWING IS THEORY AND SHOULD NOT BE CONSIDERED ACCURATE

To me, it looks like NOD32 is loading the DLLs into its own service when running as a Protected Service rather than scanning them without loading it into memory in a manner unlike a library (e.g. without running the code or injecting the DLL into the service).

On top of this sqlnclir11.rll should be reported as 0x8 instead of 0x1 by Microsoft, which is in itself a problem.

If we look at 0x4 (Authenticode) this would also trigger that error but could be legitimate signed code which gets blocked due to the way NOD32 is scanning when running as a Protected Service.

Edited February 19, 2019 by Beech Horn

[filips 44]

Hi,

as marcos noted this error is logged when automatic exclusions for Microsoft SQL server are enabled. Automatic exclusions for Microsoft SQL server are using ADO API to read information from "sys.master_files" table to get list of files to exclude from scanning. The ADO API obviously loads a DLL that is not signed.

As a workaround, automatic exclusions for Microsoft SQL server can be disabled.

[Ran Hooper 1]

3 hours ago, filips said:

 

As a workaround, automatic exclusions for Microsoft SQL server can be disabled.

How?

[Marcos 5,071]

You can disable automatic exclusions completely or only for desired applications in the advanced setup. Installed applications are detected automatically so the list may look differently on your server:

[Beech Horn 1]

9 hours ago, Ran Hooper said:

How?

Am seeing fewer entries in event viewer having toggled that option off, but we still have the blocking behavior to our application with Protected Service turned on. For reference, the application is Sage X3. We have to run with Protected Service turned off for it to function correctly.

[Marcos 5,071]

Not sure what Sage does exactly but there is no reason for it to inject into ESET's processes. I would suggest raising a support case so that the issue is investigated. Most likely the vendor of Sage will need to be contacted with recommendations from our developers after all.

[Beech Horn 1]

4 minutes ago, Marcos said:

Not sure what Sage does exactly but there is no reason for it to inject into ESET's processes.

If it's 100% that and there's no conflict where SQL Client's use by one application is blocked due to ESET running as a Protected Service then great, I can take it back to the development team on their side.

Edited February 20, 2019 by Beech Horn

[sgrouwstra 0]

I tried to disable "Protected Service" and also tried updating SQL 2012/2014/2016 (on all versions we had this error), but did not help.

Last week i updated efsw to version 7.0.12018.0, and it appears the error in the event log is gone.

[Robbb 0]

11 hours ago, sgrouwstra said:

I tried to disable "Protected Service" and also tried updating SQL 2012/2014/2016 (on all versions we had this error), but did not help.

Last week i updated efsw to version 7.0.12018.0, and it appears the error in the event log is gone.

I only started seeing these errors once upgraded to 7.0.12018.0, so it's not just that.

Still getting these errors as of 20 mins ago.

[tchapuisat 0]

Same problem here with version ESET File Security 7.0.12016.0 or 7.0.12018.0 on Windows 2012 R2, 2016 or 2019.
"SQL Server Native Client 11.0: Unable to load sqlnclir11.rll due to either missing file or version mismatch. The application cannot continue."

Edited March 20, 2019 by tchapuisat

[Marcos 5,071]

Have you already tried installing SQL Server 2014 Service Pack 3 (KB4022619) ? Does disabling automatic exclusions make a difference?

[Beech Horn 1]

35 minutes ago, Marcos said:

Have you already tried installing SQL Server 2014 Service Pack 3 (KB4022619) ? Does disabling automatic exclusions make a difference?

Even the latest service pack contains the same rll file. Disabling automatic exclusions makes no difference.

[Jean-Paul 2]

same problem here.  Same observation with disabling automatic exclusions.

No update on this post?

[Marcos 5,071]

We informed Microsoft about that, it's now their turn.

[Camilo Diaz 2]

We had the same issue and have downgraded EFS to 6.5.12010.0.  Will stay in that version until the problem is fixed.

[Marcos 5,071]

8 hours ago, Camilo Diaz said:

We had the same issue and have downgraded EFS to 6.5.12010.0.  Will stay in that version until the problem is fixed.

It's not a problem. The only reason why it occurs with v7 is that older version didn't support protected service, a security feature of Windows. In v7 it's possible to disable protected service at the cost of worsening protection, however, it wouldn't be worse than with v6.5 which didn't support it yet. With v7 you get also ransomware shield which can proactively protect the server from encryption by ransomware.

[Camilo Diaz 2]

Thanks Marcos. When you said "it's possible to disable protected service", do you mean to  disable 'Automatic exclusions to generate" for Microsoft SQL Server?

 

 

[Marcos 5,071]

17 minutes ago, Camilo Diaz said:

Thanks Marcos. When you said "it's possible to disable protected service", do you mean to  disable 'Automatic exclusions to generate" for Microsoft SQL Server?

I meant "Protected service" in the HIPS setup. Personally I wouldn't trade protection for convenience and would rather ignore the error until Microsoft fixes the issue.

[Morris B 0]

Is it possible to push disabling this HIPS setting to all of the servers running EFS 7.0.12014.0 and higher from ERAS 6.5?  (Upgrading to ESMC 7.x is on my list of projects to do soon.) 

Or has this issue been fixed in 7.012016.0 or 7.012018.0? 

[Marcos 5,071]

9 hours ago, Morris B said:

Is it possible to push disabling this HIPS setting to all of the servers running EFS 7.0.12014.0 and higher from ERAS 6.5?  (Upgrading to ESMC 7.x is on my list of projects to do soon.) 

Or has this issue been fixed in 7.012016.0 or 7.012018.0? 

Again, this is not an issue of ESET but Microsoft. There's nothing we could fix in this regard on our part. We've been waiting for Microsoft to come up with a fix.

[Morris B 0]

Upon doing a Google search for, "SQL Server Native Client 11.0: Unable to load sqlnclir11.rll due to either missing file or version mismatch. The application cannot continue."  This is the only forum discussing this topic.  If this was a Microsoft issue, you would expect this to be all over the internet. 

Having said that, I have 80+ servers running EFS 7.0.12014.0 or higher, so I'm looking for a method to change this setting without having to manually touch each one.  So back to my first question, "Is it possible to push disabling this HIPS setting to all of the servers running EFS 7.0.12014.0 and higher from ERAS 6.5?" 

Edited May 7, 2019 by Morris B

[espkiller 0]

the same problem here, some progress?