We're having an issue on some of our servers which are running SQL and have HIPS (Version 8 Patch 11) installed. Sometimes after the system performs an overnight reboot, the system will get locked up 20-40 minutes after booting into Windows. By locked up, I mean that we are unable to access it remotely, and after pressing CAD on the console, it only shows a blank screen (login box never comes up).
From what we can see in logs, HIPS starts normally and begins logging (we aren't doing any active blocking via policies). At a certain point, SQL stops responding and the HipShield log shows the warning: "0x4, #### User mode returns error code 0xc000013f for sid lookup". We see this error pretty continuously until someone arrives on-site and is able to perform a hard reset. Sometimes the server will come back up and behave normally on that next reboot, other times it may take up to 6 reboot cycles.
That is also leading to more of our frustration in that this problem is not occurring on every system configured in this manner (maybe ~20%). This issue is happening on both Server 2008 R2\SQL 2008 R2 and Server 2012 R2\SQL 2014 SP2. If we disable HIPS, the problem goes away. If we set the HIPS services to Automatic (Delayed), the problem goes away (at least on the 2012 R2 systems) but these aren't solutions we can stick with.
Has anyone else run across a similar issue or have any insight?
We've engaged McAfee on this issue in the past, but that's been less than fruitful (in that McAfee is telling us that our version of SQL isn't supported). Really we're in a bit of a catch-22 in that we have to keep SQL up-to-date, but McAfee doesn't officially support the CU's. We can't afford to keep our SQL server installs unpatched for 2-3 years. We've been trying to do our own work to pin down the cause, and the sid lookup error seems like it could be at the heart of it, but we haven't had any luck.
@Former Member Then you may replace your current AV and HIPS with ENS. ENS provides you with the same benifits as HIPS and AV does and in fact, it is more secured than your current configuration. Apparently you can resolve your current issue and also move to the latest ENS. This is just my opinion.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.