Administrators Marcos 5,468 Posted February 19, 2019 Administrators Posted February 19, 2019 Anti-Malware Services are part of Window 8.1 and Windows 10 itself, it's not our service. We merely utilize it.In Windows 8.1, a new concept of protected service has been introduced to allow anti-malware user-mode services to be launched as a protected service. After the service is launched as protected, Windows uses code integrity to only allow trusted code to load into the protected service. Windows also protects these processes from code injection and other attacks from admin processes. (https://docs.microsoft.com/en-us/windows/desktop/services/protecting-anti-malware-services-) You can post your sqlnclir11.rll and we will check Microsoft's signature if Windows AM Services should accept it and allow it to be loaded into protected services.
Beech Horn 1 Posted February 19, 2019 Posted February 19, 2019 5 minutes ago, Marcos said: Anti-Malware Services are part of Window 8.1 and Windows 10 itself, it's not our service. We merely utilize it.In Windows 8.1, a new concept of protected service has been introduced to allow anti-malware user-mode services to be launched as a protected service. After the service is launched as protected, Windows uses code integrity to only allow trusted code to load into the protected service. Windows also protects these processes from code injection and other attacks from admin processes. (https://docs.microsoft.com/en-us/windows/desktop/services/protecting-anti-malware-services-) You can post your sqlnclir11.rll and we will check Microsoft's signature if Windows AM Services should accept it and allow it to be loaded into protected services. Attached. sqlnclir11.zip
Administrators Marcos 5,468 Posted February 19, 2019 Administrators Posted February 19, 2019 Thank you, I have passed it to a developer. Will keep you posted. Last time we checked the rll file (not sure if 100% same), the file did not have a valid signature: [\Device\HarddiskVolume1\Windows\System32\1033\sqlnclir11.rll]:[\Device\HarddiskVolume1\Program Files\ESET\ESET Security\ekrn.exe] 0x7 > 0x1 ****************************************************************** This break indicates this binary is not signed correctly: \Device\HarddiskVolume1\Windows\System32\1033\sqlnclir11.rll and does not meet the system policy. The binary was attempted to be loaded in the process: \Device\HarddiskVolume1\Program Files\ESET\ESET Security\ekrn.exe This is not a failure in CI, but a problem with the failing binary. Please contact the binary owner for getting the binary correctly signed. *****************************************************************
Beech Horn 1 Posted February 19, 2019 Posted February 19, 2019 (edited) 1 hour ago, Marcos said: Thank you, I have passed it to a developer. Will keep you posted. Last time we checked the rll file (not sure if 100% same), the file did not have a valid signature: [\Device\HarddiskVolume1\Windows\System32\1033\sqlnclir11.rll]:[\Device\HarddiskVolume1\Program Files\ESET\ESET Security\ekrn.exe] 0x7 > 0x1 ****************************************************************** This break indicates this binary is not signed correctly: \Device\HarddiskVolume1\Windows\System32\1033\sqlnclir11.rll and does not meet the system policy. The binary was attempted to be loaded in the process: \Device\HarddiskVolume1\Program Files\ESET\ESET Security\ekrn.exe This is not a failure in CI, but a problem with the failing binary. Please contact the binary owner for getting the binary correctly signed. ***************************************************************** 1 That line looks like the example from: https://docs.microsoft.com/en-us/previous-versions/windows/hardware/code-signing/dn756632(v=vs.85)#user-mode-and-kernel-mode-code-troubleshooting With the signing levels being: 0x0: Unchecked 0x1: Unsigned 0x2: Enterprise 0x3: Custom 1 0x4: Authenticode 0x5: Custom 2 0x6: Store 0x7: Custom 3 / Antimalware 0x8: Microsoft 0x9: Custom 4 0xa: Custom 5 0xb: Dynamic Code Generation 0xc: Windows 0xd: Windows Protected Process Light 0xe: Windows TCB 0xf: Custom 6 It looks like you are requesting all DLLs to be higher than (or more likely equal to) 0x7 (Antimalware) and this DLL is actually 0x1 (Unsigned). THE FOLLOWING IS THEORY AND SHOULD NOT BE CONSIDERED ACCURATE To me, it looks like NOD32 is loading the DLLs into its own service when running as a Protected Service rather than scanning them without loading it into memory in a manner unlike a library (e.g. without running the code or injecting the DLL into the service). On top of this sqlnclir11.rll should be reported as 0x8 instead of 0x1 by Microsoft, which is in itself a problem. If we look at 0x4 (Authenticode) this would also trigger that error but could be legitimate signed code which gets blocked due to the way NOD32 is scanning when running as a Protected Service. Edited February 19, 2019 by Beech Horn Mirek S. 1
ESET Staff filips 44 Posted February 19, 2019 ESET Staff Posted February 19, 2019 Hi, as marcos noted this error is logged when automatic exclusions for Microsoft SQL server are enabled. Automatic exclusions for Microsoft SQL server are using ADO API to read information from "sys.master_files" table to get list of files to exclude from scanning. The ADO API obviously loads a DLL that is not signed. As a workaround, automatic exclusions for Microsoft SQL server can be disabled. Beech Horn, Peter Randziak and espkiller 3
Ran Hooper 1 Posted February 19, 2019 Posted February 19, 2019 3 hours ago, filips said: As a workaround, automatic exclusions for Microsoft SQL server can be disabled. How?
Administrators Marcos 5,468 Posted February 19, 2019 Administrators Posted February 19, 2019 You can disable automatic exclusions completely or only for desired applications in the advanced setup. Installed applications are detected automatically so the list may look differently on your server: Beech Horn 1
Beech Horn 1 Posted February 20, 2019 Posted February 20, 2019 9 hours ago, Ran Hooper said: How? Am seeing fewer entries in event viewer having toggled that option off, but we still have the blocking behavior to our application with Protected Service turned on. For reference, the application is Sage X3. We have to run with Protected Service turned off for it to function correctly.
Administrators Marcos 5,468 Posted February 20, 2019 Administrators Posted February 20, 2019 Not sure what Sage does exactly but there is no reason for it to inject into ESET's processes. I would suggest raising a support case so that the issue is investigated. Most likely the vendor of Sage will need to be contacted with recommendations from our developers after all.
Beech Horn 1 Posted February 20, 2019 Posted February 20, 2019 (edited) 4 minutes ago, Marcos said: Not sure what Sage does exactly but there is no reason for it to inject into ESET's processes. If it's 100% that and there's no conflict where SQL Client's use by one application is blocked due to ESET running as a Protected Service then great, I can take it back to the development team on their side. Edited February 20, 2019 by Beech Horn
sgrouwstra 0 Posted March 19, 2019 Posted March 19, 2019 I tried to disable "Protected Service" and also tried updating SQL 2012/2014/2016 (on all versions we had this error), but did not help. Last week i updated efsw to version 7.0.12018.0, and it appears the error in the event log is gone.
Robbb 0 Posted March 19, 2019 Posted March 19, 2019 11 hours ago, sgrouwstra said: I tried to disable "Protected Service" and also tried updating SQL 2012/2014/2016 (on all versions we had this error), but did not help. Last week i updated efsw to version 7.0.12018.0, and it appears the error in the event log is gone. I only started seeing these errors once upgraded to 7.0.12018.0, so it's not just that. Still getting these errors as of 20 mins ago.
tchapuisat 0 Posted March 20, 2019 Posted March 20, 2019 (edited) Same problem here with version ESET File Security 7.0.12016.0 or 7.0.12018.0 on Windows 2012 R2, 2016 or 2019. "SQL Server Native Client 11.0: Unable to load sqlnclir11.rll due to either missing file or version mismatch. The application cannot continue." Edited March 20, 2019 by tchapuisat
Administrators Marcos 5,468 Posted March 22, 2019 Administrators Posted March 22, 2019 Have you already tried installing SQL Server 2014 Service Pack 3 (KB4022619) ? Does disabling automatic exclusions make a difference?
Beech Horn 1 Posted March 22, 2019 Posted March 22, 2019 35 minutes ago, Marcos said: Have you already tried installing SQL Server 2014 Service Pack 3 (KB4022619) ? Does disabling automatic exclusions make a difference? Even the latest service pack contains the same rll file. Disabling automatic exclusions makes no difference.
Jean-Paul 2 Posted April 15, 2019 Posted April 15, 2019 same problem here. Same observation with disabling automatic exclusions. No update on this post? Beech Horn 1
Administrators Marcos 5,468 Posted April 15, 2019 Administrators Posted April 15, 2019 We informed Microsoft about that, it's now their turn.
Camilo Diaz 2 Posted May 3, 2019 Posted May 3, 2019 We had the same issue and have downgraded EFS to 6.5.12010.0. Will stay in that version until the problem is fixed. Beech Horn 1
Administrators Marcos 5,468 Posted May 3, 2019 Administrators Posted May 3, 2019 8 hours ago, Camilo Diaz said: We had the same issue and have downgraded EFS to 6.5.12010.0. Will stay in that version until the problem is fixed. It's not a problem. The only reason why it occurs with v7 is that older version didn't support protected service, a security feature of Windows. In v7 it's possible to disable protected service at the cost of worsening protection, however, it wouldn't be worse than with v6.5 which didn't support it yet. With v7 you get also ransomware shield which can proactively protect the server from encryption by ransomware. Mirek S. 1
Camilo Diaz 2 Posted May 6, 2019 Posted May 6, 2019 Thanks Marcos. When you said "it's possible to disable protected service", do you mean to disable 'Automatic exclusions to generate" for Microsoft SQL Server?
Administrators Marcos 5,468 Posted May 6, 2019 Administrators Posted May 6, 2019 17 minutes ago, Camilo Diaz said: Thanks Marcos. When you said "it's possible to disable protected service", do you mean to disable 'Automatic exclusions to generate" for Microsoft SQL Server? I meant "Protected service" in the HIPS setup. Personally I wouldn't trade protection for convenience and would rather ignore the error until Microsoft fixes the issue.
Morris B 0 Posted May 6, 2019 Posted May 6, 2019 Is it possible to push disabling this HIPS setting to all of the servers running EFS 7.0.12014.0 and higher from ERAS 6.5? (Upgrading to ESMC 7.x is on my list of projects to do soon.) Or has this issue been fixed in 7.012016.0 or 7.012018.0?
Administrators Marcos 5,468 Posted May 7, 2019 Administrators Posted May 7, 2019 9 hours ago, Morris B said: Is it possible to push disabling this HIPS setting to all of the servers running EFS 7.0.12014.0 and higher from ERAS 6.5? (Upgrading to ESMC 7.x is on my list of projects to do soon.) Or has this issue been fixed in 7.012016.0 or 7.012018.0? Again, this is not an issue of ESET but Microsoft. There's nothing we could fix in this regard on our part. We've been waiting for Microsoft to come up with a fix.
Morris B 0 Posted May 7, 2019 Posted May 7, 2019 (edited) Upon doing a Google search for, "SQL Server Native Client 11.0: Unable to load sqlnclir11.rll due to either missing file or version mismatch. The application cannot continue." This is the only forum discussing this topic. If this was a Microsoft issue, you would expect this to be all over the internet. Having said that, I have 80+ servers running EFS 7.0.12014.0 or higher, so I'm looking for a method to change this setting without having to manually touch each one. So back to my first question, "Is it possible to push disabling this HIPS setting to all of the servers running EFS 7.0.12014.0 and higher from ERAS 6.5?" Edited May 7, 2019 by Morris B
Recommended Posts