cancel
Showing results for 
Search instead for 
Did you mean: 
bob325
Level 7

HIPS 8Pach2 blocking SQL installation

Hi  Team 

We  are  having  an issue to  install  sql  2008 when  hips  is enabled. (IPS only  use ,  firewall  feature  is  off  ).  We  don't  see  this  issue  if  IPS  is  set  to  learn  mode.  We  have  added sql  signature  to  the  IPS  rule  but  we  still  have  the  issue 

Is  anyone  on  team  has  face  this  issue  , please  advice. 

Below  is  logs  from HipShiled.log

########### HipShield Build: Jun  6 2012, 11:24:51  8.0.0.2151 ###########
###########         Session: Fri Feb 11 10:30:52 2012         ###########
*** Os: Win2008 R2 Server Service Pack 1  Version 6.1.7601

*** continued from rotation
i04-11 15:32:05.115 Error: 0x590,95c This is not a supported MS SQL version: 10.50.4000.0
- code 0x32 - The request is not supported.

i04-11 15:32:05.116 Error: 0x590,95c MfeFhe - Can't initialize kevlar API hooking.
i04-11 15:32:09.769 Error: 0xa1c,a20 This is not a supported MS SQL version: 10.50.4000.0
- code 0x32 - The request is not supported.

i04-11 15:32:09.770 Error: 0xa1c,a20 MfeFhe - Can't initialize kevlar API hooking.
k04-11 15:32:10.333 Alert: 0x4,b04 Block event matching sig 523
k04-11 15:32:10.333 Alert: 0x4,b04 Block event matching sig 523
k04-11 15:32:11.387 Alert: 0x4,b9c Block event matching sig 523
k04-11 15:32:11.387 Alert: 0x4,b9c Block event matching sig 523
k04-11 15:32:11.387 Alert: 0x4,b9c Block event matching sig 523
k04-11 15:32:11.387 Alert: 0x4,b9c Block event matching sig 523
k04-11 15:32:12.071 Alert: 0x4,d3c Log event matching sig 344
k04-11 15:32:12.502 Alert: 0x4,e34 Block event matching sig 522
04-11 15:32:13 [01888] VIOLATION: [8] ------- Violation  Logged ---- Size 1081 ----
<Event> <!-- Level=Med, Reaction=Prevent -->
  <EventData
  SignatureID="523"
  SignatureName="MSSQL Core Envelope - Registry Mod. by MSSQL"
  SeverityLevel="3"
  Reaction="3"
  ProcessUserName="UK\zz_sql-669"
  Process="D:\MSSQL10_50.SQLPRE02\MSSQL\BINN\SQLSERVR.EXE"
  IncidentTime="2012-02-11 15:32:10"
  AllowEx="True"
  SigRuleClass="Registry"
  ProcessId="2588"
  Session="0"
  SigRuleDirective="create"/>
  <Params>
    <Param name="Workstation Name" allowex="True">WYCWSQLB001</Param>
    <Param name="Subject Distinguished Name" allowex="False">CN=MICROSOFT CORPORATION, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US</Param>
    <Param name="Subject Organization Name" allowex="False">MICROSOFT CORPORATION</Param>
    <Param name="Executable Description" allowex="False">SQL SERVER WINDOWS NT - 64 BIT</Param>
    <Param name="Executable Fingerprint" allowex="False">c6a0c6d85e6fc0ba9b0969e27fae0e89</Param>
    <Param name="Registry Key" allowex="True">\REGISTRY\MACHINE\SYSTEM\CONTROLSET\CONTROL\SECURITYPROVIDERS\SCHANNEL</Param>
  </Params>
</Event>
------------------------------
04-11 15:32:13 [01888] VIOLATION: [7] ------- Violation ---- Size 1035 ----
<Event> <!-- Level=Med, Reaction=Prevent -->
  <EventData
  SignatureID="523"
  SignatureName="MSSQL Core Envelope - Registry Mod. by MSSQL"
  SeverityLevel="3"
  Reaction="3"
  ProcessUserName="UK\zz_sql-669"
  Process="D:\MSSQL10_50.SQLPRE02\MSSQL\BINN\SQLSERVR.EXE"
  IncidentTime="2012-02-11 12:32:10"
  AllowEx="True"
  SigRuleClass="Registry"
  ProcessId="2588"
  Session="0"
  SigRuleDirective="create"/>
  <Params>
    <Param name="Workstation Name" allowex="True">WYCWSQLB001</Param>
    <Param name="Subject Distinguished Name" allowex="False">CN=MICROSOFT CORPORATION, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US</Param>
    <Param name="Subject Organization Name" allowex="False">MICROSOFT CORPORATION</Param>
    <Param name="Executable Description" allowex="False">SQL SERVER WINDOWS NT - 64 BIT</Param>
    <Param name="Executable Fingerprint" allowex="False">c6a0c6d85e6fc0ba9b0969e27fae0e89</Param>
    <Param name="Registry Key" allowex="True">\REGISTRY\MACHINE\SYSTEM</Param>
  </Params>
</Event>
------------------------------
04-11 15:32:13 [01888] VIOLATION: [6] ------- Violation ---- Size 1196 ----
<Event> <!-- Level=Med, Reaction=Prevent -->
  <EventData
  SignatureID="523"
  SignatureName="MSSQL Core Envelope - Registry Mod. by MSSQL"
  SeverityLevel="3"
  Reaction="3"
  ProcessUserName="UK\zz_sql-669"
  Process="D:\MSSQL10_50.SQLPRE02\MSSQL\BINN\SQLSERVR.EXE"
  IncidentTime="2014-04-11 15:32:11"
  AllowEx="True"
  SigRuleClass="Registry"
  ProcessId="2588"
  Session="0"
  SigRuleDirective="modify"/>
  <Params>
    <Param name="Workstation Name" allowex="True">WYCWSQLB001</Param>
    <Param name="Subject Distinguished Name" allowex="False">CN=MICROSOFT CORPORATION, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US</Param>
    <Param name="Subject Organization Name" allowex="False">MICROSOFT CORPORATION</Param>
    <Param name="Executable Description" allowex="False">SQL SERVER WINDOWS NT - 64 BIT</Param>
    <Param name="Executable Fingerprint" allowex="False">c6a0c6d85e6fc0ba9b0969e27fae0e89</Param>
    <Param name="Registry Value(s)" allowex="True">\REGISTRY\CURRENT_USER\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1C8\52C64B7E\LANGUAGELIST</Param>
    <Param name="New Data" allowex="True">65006e002d0055005300000065006e0000000000</Param>
  </Params>
</Event>
------------------------------
04-11 15:32:13 [01888] VIOLATION: [5] ------- Violation ---- Size 1196 ----
<Event> <!-- Level=Med, Reaction=Prevent -->
  <EventData
  SignatureID="523"
  SignatureName="MSSQL Core Envelope - Registry Mod. by MSSQL"
  SeverityLevel="3"
  Reaction="3"
  ProcessUserName="UK\zz_sql-669"
  Process="D:\MSSQL10_50.SQLPRE02\MSSQL\BINN\SQLSERVR.EXE"
  IncidentTime="2012-02-11 10:32:11"
  AllowEx="True"
  SigRuleClass="Registry"
  ProcessId="2588"
  Session="0"
  SigRuleDirective="modify"/>
  <Params>
    <Param name="Workstation Name" allowex="True">WYCWSQLB001</Param>
    <Param name="Subject Distinguished Name" allowex="False">CN=MICROSOFT CORPORATION, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US</Param>
    <Param name="Subject Organization Name" allowex="False">MICROSOFT CORPORATION</Param>
    <Param name="Executable Description" allowex="False">SQL SERVER WINDOWS NT - 64 BIT</Param>
    <Param name="Executable Fingerprint" allowex="False">c6a0c6d85e6fc0ba9b0969e27fae0e89</Param>
    <Param name="Registry Value(s)" allowex="True">\REGISTRY\CURRENT_USER\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1C8\52C64B7E\LANGUAGELIST</Param>
    <Param name="New Data" allowex="True">65006e002d0055005300000065006e0000000000</Param>
  </Params>
</Event>
------------------------------
04-11 15:32:13 [01888] VIOLATION: [4] ------- Violation ---- Size 1196 ----
<Event> <!-- Level=Med, Reaction=Prevent -->
  <EventData
  SignatureID="523"
  SignatureName="MSSQL Core Envelope - Registry Mod. by MSSQL"
  SeverityLevel="3"
  Reaction="3"
  ProcessUserName="UK\zz_sql-669"
  Process="D:\MSSQL10_50.SQLPRE02\MSSQL\BINN\SQLSERVR.EXE"
  IncidentTime="2012-02-11 10:32:11"
  AllowEx="True"
  SigRuleClass="Registry"
  ProcessId="2588"
  Session="0"
  SigRuleDirective="modify"/>
  <Params>
    <Param name="Workstation Name" allowex="True">WYCWSQLB001</Param>
    <Param name="Subject Distinguished Name" allowex="False">CN=MICROSOFT CORPORATION, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US</Param>
    <Param name="Subject Organization Name" allowex="False">MICROSOFT CORPORATION</Param>
    <Param name="Executable Description" allowex="False">SQL SERVER WINDOWS NT - 64 BIT</Param>
    <Param name="Executable Fingerprint" allowex="False">c6a0c6d85e6fc0ba9b0969e27fae0e89</Param>
    <Param name="Registry Value(s)" allowex="True">\REGISTRY\CURRENT_USER\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1C8\52C64B7E\LANGUAGELIST</Param>
    <Param name="New Data" allowex="True">65006e002d0055005300000065006e0000000000</Param>
  </Params>
</Event>
------------------------------
04-11 15:32:13 [01888] VIOLATION: [3] ------- Violation ---- Size 1196 ----
<Event> <!-- Level=Med, Reaction=Prevent -->
  <EventData
  SignatureID="523"
  SignatureName="MSSQL Core Envelope - Registry Mod. by MSSQL"
  SeverityLevel="3"
  Reaction="3"
  ProcessUserName="UK\zz_sql-669"
  Process="D:\MSSQL10_50.SQLPRE02\MSSQL\BINN\SQLSERVR.EXE"
  IncidentTime="2012-02-11 10:32:11"
  AllowEx="True"
  SigRuleClass="Registry"
  ProcessId="2588"
  Session="0"
  SigRuleDirective="modify"/>
  <Params>
    <Param name="Workstation Name" allowex="True">WYCWSQLB001</Param>
    <Param name="Subject Distinguished Name" allowex="False">CN=MICROSOFT CORPORATION, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US</Param>
    <Param name="Subject Organization Name" allowex="False">MICROSOFT CORPORATION</Param>
    <Param name="Executable Description" allowex="False">SQL SERVER WINDOWS NT - 64 BIT</Param>
    <Param name="Executable Fingerprint" allowex="False">c6a0c6d85e6fc0ba9b0969e27fae0e89</Param>
    <Param name="Registry Value(s)" allowex="True">\REGISTRY\CURRENT_USER\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1C8\52C64B7E\LANGUAGELIST</Param>
    <Param name="New Data" allowex="True">65006e002d0055005300000065006e0000000000</Param>
  </Params>
</Event>

0 Kudos
2 Replies
McAfee Employee

Re: HIPS 8Pach2 blocking SQL installation

i04-11 15:32:09.769 Error: 0xa1c,a20 This is not a supported MS SQL version: 10.50.4000.0

- code 0x32 - The request is not supported.

i04-11 15:32:09.770 Error: 0xa1c,a20 MfeFhe - Can't initialize kevlar API hooking.

Microsoft SQL Server 2008 R2 Service Pack 2 (10.50.4000.0) is not supported by HIPS (and the SQL Engine).  Disable the SQL Engine by HIPS General ClientUI policy (which will disable SQL protection within HIPS) and verify this resolves the issue.

KB65845 - Host Intrusion Prevention 7.0 and 8.0 support for SQL Server Versions

https://kc.mcafee.com/corporate/index?page=content&id=KB65845

0 Kudos
bob325
Level 7

Re: HIPS 8Pach2 blocking SQL installation

Thanks  Kary  for  this  helpful  answer,  Il  will  try  the  workaround  by disabling  SQL  engine.

Thanks

BOB

0 Kudos