Jump to content
saroot

EFS 7.0.12014.0 - MSSQL ERROR

Recommended Posts

Anti-Malware Services are part of Window 8.1 and Windows 10 itself, it's not our service. We merely utilize it.
In Windows 8.1, a new concept of protected service has been introduced to allow anti-malware user-mode services to be launched as a protected service. After the service is launched as protected, Windows uses code integrity to only allow trusted code to load into the protected service. Windows also protects these processes from code injection and other attacks from admin processes. (https://docs.microsoft.com/en-us/windows/desktop/services/protecting-anti-malware-services-)

You can post your sqlnclir11.rll and we will check Microsoft's signature if Windows AM Services should accept it and allow it to be loaded into protected services.

Share this post


Link to post
Share on other sites
5 minutes ago, Marcos said:

Anti-Malware Services are part of Window 8.1 and Windows 10 itself, it's not our service. We merely utilize it.
In Windows 8.1, a new concept of protected service has been introduced to allow anti-malware user-mode services to be launched as a protected service. After the service is launched as protected, Windows uses code integrity to only allow trusted code to load into the protected service. Windows also protects these processes from code injection and other attacks from admin processes. (https://docs.microsoft.com/en-us/windows/desktop/services/protecting-anti-malware-services-)

You can post your sqlnclir11.rll and we will check Microsoft's signature if Windows AM Services should accept it and allow it to be loaded into protected services.

Attached.

sqlnclir11.zip

Share this post


Link to post
Share on other sites

Thank you, I have passed it to a developer. Will keep you posted.

Last time we checked the rll file (not sure if 100% same), the file did not have a valid signature:

[\Device\HarddiskVolume1\Windows\System32\1033\sqlnclir11.rll]:[\Device\HarddiskVolume1\Program Files\ESET\ESET Security\ekrn.exe] 0x7 > 0x1
******************************************************************

 
This break indicates this binary is not signed correctly: \Device\HarddiskVolume1\Windows\System32\1033\sqlnclir11.rll
and does not meet the system policy.
The binary was attempted to be loaded in the process: \Device\HarddiskVolume1\Program Files\ESET\ESET Security\ekrn.exe
This is not a failure in CI, but a problem with the failing binary.
Please contact the binary owner for getting the binary correctly signed.
*****************************************************************

Share this post


Link to post
Share on other sites
1 hour ago, Marcos said:

Thank you, I have passed it to a developer. Will keep you posted.

Last time we checked the rll file (not sure if 100% same), the file did not have a valid signature:


[\Device\HarddiskVolume1\Windows\System32\1033\sqlnclir11.rll]:[\Device\HarddiskVolume1\Program Files\ESET\ESET Security\ekrn.exe] 0x7 > 0x1

******************************************************************


 

This break indicates this binary is not signed correctly: \Device\HarddiskVolume1\Windows\System32\1033\sqlnclir11.rll

and does not meet the system policy.

The binary was attempted to be loaded in the process: \Device\HarddiskVolume1\Program Files\ESET\ESET Security\ekrn.exe

This is not a failure in CI, but a problem with the failing binary.

Please contact the binary owner for getting the binary correctly signed.

*****************************************************************
1

That line looks like the example from:

https://docs.microsoft.com/en-us/previous-versions/windows/hardware/code-signing/dn756632(v=vs.85)#user-mode-and-kernel-mode-code-troubleshooting

With the signing levels being:

  • 0x0: Unchecked
  • 0x1: Unsigned
  • 0x2: Enterprise
  • 0x3: Custom 1
  • 0x4: Authenticode
  • 0x5: Custom 2
  • 0x6: Store
  • 0x7: Custom 3 / Antimalware
  • 0x8: Microsoft
  • 0x9: Custom 4
  • 0xa: Custom 5
  • 0xb: Dynamic Code Generation
  • 0xc: Windows
  • 0xd: Windows Protected Process Light
  • 0xe: Windows TCB
  • 0xf: Custom 6

It looks like you are requesting all DLLs to be higher than (or more likely equal to) 0x7 (Antimalware) and this DLL is actually 0x1 (Unsigned).

THE FOLLOWING IS THEORY AND SHOULD NOT BE CONSIDERED ACCURATE

To me, it looks like NOD32 is loading the DLLs into its own service when running as a Protected Service rather than scanning them without loading it into memory in a manner unlike a library (e.g. without running the code or injecting the DLL into the service).

On top of this sqlnclir11.rll should be reported as 0x8 instead of 0x1 by Microsoft, which is in itself a problem.

If we look at 0x4 (Authenticode) this would also trigger that error but could be legitimate signed code which gets blocked due to the way NOD32 is scanning when running as a Protected Service.

Edited by Beech Horn

Share this post


Link to post
Share on other sites

Hi,

as marcos noted this error is logged when automatic exclusions for Microsoft SQL server are enabled. Automatic exclusions for Microsoft SQL server are using ADO API to read information from "sys.master_files" table to get list of files to exclude from scanning. The ADO API obviously loads a DLL that is not signed.

As a workaround, automatic exclusions for Microsoft SQL server can be disabled.

Share this post


Link to post
Share on other sites
3 hours ago, filips said:

 

As a workaround, automatic exclusions for Microsoft SQL server can be disabled.

How?

Share this post


Link to post
Share on other sites

You can disable automatic exclusions completely or only for desired applications in the advanced setup. Installed applications are detected automatically so the list may look differently on your server:

image.png

Share this post


Link to post
Share on other sites
9 hours ago, Ran Hooper said:

How?

Am seeing fewer entries in event viewer having toggled that option off, but we still have the blocking behavior to our application with Protected Service turned on. For reference, the application is Sage X3. We have to run with Protected Service turned off for it to function correctly.

automatic exclusions to generate.png

Share this post


Link to post
Share on other sites

Not sure what Sage does exactly but there is no reason for it to inject into ESET's processes. I would suggest raising a support case so that the issue is investigated. Most likely the vendor of Sage will need to be contacted with recommendations from our developers after all.

Share this post


Link to post
Share on other sites
4 minutes ago, Marcos said:

Not sure what Sage does exactly but there is no reason for it to inject into ESET's processes.

If it's 100% that and there's no conflict where SQL Client's use by one application is blocked due to ESET running as a Protected Service then great, I can take it back to the development team on their side.

Edited by Beech Horn

Share this post


Link to post
Share on other sites

I tried to disable "Protected Service" and also tried updating SQL 2012/2014/2016 (on all versions we had this error), but did not help.

Last week i updated efsw to version 7.0.12018.0, and it appears the error in the event log is gone.

Share this post


Link to post
Share on other sites
11 hours ago, sgrouwstra said:

I tried to disable "Protected Service" and also tried updating SQL 2012/2014/2016 (on all versions we had this error), but did not help.

Last week i updated efsw to version 7.0.12018.0, and it appears the error in the event log is gone.

I only started seeing these errors once upgraded to 7.0.12018.0, so it's not just that.

Still getting these errors as of 20 mins ago.

Share this post


Link to post
Share on other sites
Posted (edited)

Same problem here with version ESET File Security 7.0.12016.0 or 7.0.12018.0 on Windows 2012 R2, 2016 or 2019.
"SQL Server Native Client 11.0: Unable to load sqlnclir11.rll due to either missing file or version mismatch. The application cannot continue."

Edited by tchapuisat

Share this post


Link to post
Share on other sites

Have you already tried installing SQL Server 2014 Service Pack 3 (KB4022619) ? Does disabling automatic exclusions make a difference?

Share this post


Link to post
Share on other sites
35 minutes ago, Marcos said:

Have you already tried installing SQL Server 2014 Service Pack 3 (KB4022619) ? Does disabling automatic exclusions make a difference?

Even the latest service pack contains the same rll file. Disabling automatic exclusions makes no difference.

Share this post


Link to post
Share on other sites

same problem here.  Same observation with disabling automatic exclusions.

No update on this post?

Share this post


Link to post
Share on other sites

We informed Microsoft about that, it's now their turn.

Share this post


Link to post
Share on other sites

We had the same issue and have downgraded EFS to 6.5.12010.0.  Will stay in that version until the problem is fixed.

Share this post


Link to post
Share on other sites
8 hours ago, Camilo Diaz said:

We had the same issue and have downgraded EFS to 6.5.12010.0.  Will stay in that version until the problem is fixed.

It's not a problem. The only reason why it occurs with v7 is that older version didn't support protected service, a security feature of Windows. In v7 it's possible to disable protected service at the cost of worsening protection, however, it wouldn't be worse than with v6.5 which didn't support it yet. With v7 you get also ransomware shield which can proactively protect the server from encryption by ransomware.

Share this post


Link to post
Share on other sites

Thanks Marcos. When you said "it's possible to disable protected service", do you mean to  disable 'Automatic exclusions to generate" for Microsoft SQL Server?

 

 

Share this post


Link to post
Share on other sites
17 minutes ago, Camilo Diaz said:

Thanks Marcos. When you said "it's possible to disable protected service", do you mean to  disable 'Automatic exclusions to generate" for Microsoft SQL Server?

I meant "Protected service" in the HIPS setup. Personally I wouldn't trade protection for convenience and would rather ignore the error until Microsoft fixes the issue.

Share this post


Link to post
Share on other sites

Is it possible to push disabling this HIPS setting to all of the servers running EFS 7.0.12014.0 and higher from ERAS 6.5?  (Upgrading to ESMC 7.x is on my list of projects to do soon.) 

Or has this issue been fixed in 7.012016.0 or 7.012018.0? 

Share this post


Link to post
Share on other sites
9 hours ago, Morris B said:

Is it possible to push disabling this HIPS setting to all of the servers running EFS 7.0.12014.0 and higher from ERAS 6.5?  (Upgrading to ESMC 7.x is on my list of projects to do soon.) 

Or has this issue been fixed in 7.012016.0 or 7.012018.0? 

Again, this is not an issue of ESET but Microsoft. There's nothing we could fix in this regard on our part. We've been waiting for Microsoft to come up with a fix.

Share this post


Link to post
Share on other sites
Posted (edited)

Upon doing a Google search for, "SQL Server Native Client 11.0: Unable to load sqlnclir11.rll due to either missing file or version mismatch. The application cannot continue."  This is the only forum discussing this topic.  If this was a Microsoft issue, you would expect this to be all over the internet. 

Having said that, I have 80+ servers running EFS 7.0.12014.0 or higher, so I'm looking for a method to change this setting without having to manually touch each one.  So back to my first question, "Is it possible to push disabling this HIPS setting to all of the servers running EFS 7.0.12014.0 and higher from ERAS 6.5?" 

Edited by Morris B

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...