2 Replies Latest reply on May 29, 2014 8:16 AM by bob325

    HIPS 8Pach2  blocking  SQL installation

    bob325

      Hi  Team 

       

      We  are  having  an issue to  install  sql  2008 when  hips  is enabled. (IPS only  use ,  firewall  feature  is  off  ).  We  don't  see  this  issue  if  IPS  is  set  to  learn  mode.  We  have  added sql  signature  to  the  IPS  rule  but  we  still  have  the  issue 

       

      Is  anyone  on  team  has  face  this  issue  , please  advice. 

       

      Below  is  logs  from HipShiled.log

       

       

      ########### HipShield Build: Jun  6 2012, 11:24:51  8.0.0.2151 ###########
      ###########         Session: Fri Feb 11 10:30:52 2012         ###########
      *** Os: Win2008 R2 Server Service Pack 1  Version 6.1.7601

      *** continued from rotation
      i04-11 15:32:05.115 Error: 0x590,95c This is not a supported MS SQL version: 10.50.4000.0
      - code 0x32 - The request is not supported.

      i04-11 15:32:05.116 Error: 0x590,95c MfeFhe - Can't initialize kevlar API hooking.
      i04-11 15:32:09.769 Error: 0xa1c,a20 This is not a supported MS SQL version: 10.50.4000.0
      - code 0x32 - The request is not supported.

      i04-11 15:32:09.770 Error: 0xa1c,a20 MfeFhe - Can't initialize kevlar API hooking.
      k04-11 15:32:10.333 Alert: 0x4,b04 Block event matching sig 523
      k04-11 15:32:10.333 Alert: 0x4,b04 Block event matching sig 523
      k04-11 15:32:11.387 Alert: 0x4,b9c Block event matching sig 523
      k04-11 15:32:11.387 Alert: 0x4,b9c Block event matching sig 523
      k04-11 15:32:11.387 Alert: 0x4,b9c Block event matching sig 523
      k04-11 15:32:11.387 Alert: 0x4,b9c Block event matching sig 523
      k04-11 15:32:12.071 Alert: 0x4,d3c Log event matching sig 344
      k04-11 15:32:12.502 Alert: 0x4,e34 Block event matching sig 522
      04-11 15:32:13 [01888] VIOLATION: [8] ------- Violation  Logged ---- Size 1081 ----
      <Event> <!-- Level=Med, Reaction=Prevent -->
        <EventData
        SignatureID="523"
        SignatureName="MSSQL Core Envelope - Registry Mod. by MSSQL"
        SeverityLevel="3"
        Reaction="3"
        ProcessUserName="UK\zz_sql-669"
        Process="D:\MSSQL10_50.SQLPRE02\MSSQL\BINN\SQLSERVR.EXE"
        IncidentTime="2012-02-11 15:32:10"
        AllowEx="True"
        SigRuleClass="Registry"
        ProcessId="2588"
        Session="0"
        SigRuleDirective="create"/>
        <Params>
          <Param name="Workstation Name" allowex="True">WYCWSQLB001</Param>
          <Param name="Subject Distinguished Name" allowex="False">CN=MICROSOFT CORPORATION, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US</Param>
          <Param name="Subject Organization Name" allowex="False">MICROSOFT CORPORATION</Param>
          <Param name="Executable Description" allowex="False">SQL SERVER WINDOWS NT - 64 BIT</Param>
          <Param name="Executable Fingerprint" allowex="False">c6a0c6d85e6fc0ba9b0969e27fae0e89</Param>
          <Param name="Registry Key" allowex="True">\REGISTRY\MACHINE\SYSTEM\CONTROLSET\CONTROL\SECURITYPROVIDERS\SC HANNEL</Param>
        </Params>
      </Event>
      ------------------------------
      04-11 15:32:13 [01888] VIOLATION: [7] ------- Violation ---- Size 1035 ----
      <Event> <!-- Level=Med, Reaction=Prevent -->
        <EventData
        SignatureID="523"
        SignatureName="MSSQL Core Envelope - Registry Mod. by MSSQL"
        SeverityLevel="3"
        Reaction="3"
        ProcessUserName="UK\zz_sql-669"
        Process="D:\MSSQL10_50.SQLPRE02\MSSQL\BINN\SQLSERVR.EXE"
        IncidentTime="2012-02-11 12:32:10"
        AllowEx="True"
        SigRuleClass="Registry"
        ProcessId="2588"
        Session="0"
        SigRuleDirective="create"/>
        <Params>
          <Param name="Workstation Name" allowex="True">WYCWSQLB001</Param>
          <Param name="Subject Distinguished Name" allowex="False">CN=MICROSOFT CORPORATION, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US</Param>
          <Param name="Subject Organization Name" allowex="False">MICROSOFT CORPORATION</Param>
          <Param name="Executable Description" allowex="False">SQL SERVER WINDOWS NT - 64 BIT</Param>
          <Param name="Executable Fingerprint" allowex="False">c6a0c6d85e6fc0ba9b0969e27fae0e89</Param>
          <Param name="Registry Key" allowex="True">\REGISTRY\MACHINE\SYSTEM</Param>
        </Params>
      </Event>
      ------------------------------
      04-11 15:32:13 [01888] VIOLATION: [6] ------- Violation ---- Size 1196 ----
      <Event> <!-- Level=Med, Reaction=Prevent -->
        <EventData
        SignatureID="523"
        SignatureName="MSSQL Core Envelope - Registry Mod. by MSSQL"
        SeverityLevel="3"
        Reaction="3"
        ProcessUserName="UK\zz_sql-669"
        Process="D:\MSSQL10_50.SQLPRE02\MSSQL\BINN\SQLSERVR.EXE"
        IncidentTime="2014-04-11 15:32:11"
        AllowEx="True"
        SigRuleClass="Registry"
        ProcessId="2588"
        Session="0"
        SigRuleDirective="modify"/>
        <Params>
          <Param name="Workstation Name" allowex="True">WYCWSQLB001</Param>
          <Param name="Subject Distinguished Name" allowex="False">CN=MICROSOFT CORPORATION, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US</Param>
          <Param name="Subject Organization Name" allowex="False">MICROSOFT CORPORATION</Param>
          <Param name="Executable Description" allowex="False">SQL SERVER WINDOWS NT - 64 BIT</Param>
          <Param name="Executable Fingerprint" allowex="False">c6a0c6d85e6fc0ba9b0969e27fae0e89</Param>
          <Param name="Registry Value(s)" allowex="True">\REGISTRY\CURRENT_USER\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1C8\52C64B7E\LANGUAGELIST</Param>
          <Param name="New Data" allowex="True">65006e002d0055005300000065006e0000000000</Param>
        </Params>
      </Event>
      ------------------------------
      04-11 15:32:13 [01888] VIOLATION: [5] ------- Violation ---- Size 1196 ----
      <Event> <!-- Level=Med, Reaction=Prevent -->
        <EventData
        SignatureID="523"
        SignatureName="MSSQL Core Envelope - Registry Mod. by MSSQL"
        SeverityLevel="3"
        Reaction="3"
        ProcessUserName="UK\zz_sql-669"
        Process="D:\MSSQL10_50.SQLPRE02\MSSQL\BINN\SQLSERVR.EXE"
        IncidentTime="2012-02-11 10:32:11"
        AllowEx="True"
        SigRuleClass="Registry"
        ProcessId="2588"
        Session="0"
        SigRuleDirective="modify"/>
        <Params>
          <Param name="Workstation Name" allowex="True">WYCWSQLB001</Param>
          <Param name="Subject Distinguished Name" allowex="False">CN=MICROSOFT CORPORATION, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US</Param>
          <Param name="Subject Organization Name" allowex="False">MICROSOFT CORPORATION</Param>
          <Param name="Executable Description" allowex="False">SQL SERVER WINDOWS NT - 64 BIT</Param>
          <Param name="Executable Fingerprint" allowex="False">c6a0c6d85e6fc0ba9b0969e27fae0e89</Param>
          <Param name="Registry Value(s)" allowex="True">\REGISTRY\CURRENT_USER\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1C8\52C64B7E\LANGUAGELIST</Param>
          <Param name="New Data" allowex="True">65006e002d0055005300000065006e0000000000</Param>
        </Params>
      </Event>
      ------------------------------
      04-11 15:32:13 [01888] VIOLATION: [4] ------- Violation ---- Size 1196 ----
      <Event> <!-- Level=Med, Reaction=Prevent -->
        <EventData
        SignatureID="523"
        SignatureName="MSSQL Core Envelope - Registry Mod. by MSSQL"
        SeverityLevel="3"
        Reaction="3"
        ProcessUserName="UK\zz_sql-669"
        Process="D:\MSSQL10_50.SQLPRE02\MSSQL\BINN\SQLSERVR.EXE"
        IncidentTime="2012-02-11 10:32:11"
        AllowEx="True"
        SigRuleClass="Registry"
        ProcessId="2588"
        Session="0"
        SigRuleDirective="modify"/>
        <Params>
          <Param name="Workstation Name" allowex="True">WYCWSQLB001</Param>
          <Param name="Subject Distinguished Name" allowex="False">CN=MICROSOFT CORPORATION, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US</Param>
          <Param name="Subject Organization Name" allowex="False">MICROSOFT CORPORATION</Param>
          <Param name="Executable Description" allowex="False">SQL SERVER WINDOWS NT - 64 BIT</Param>
          <Param name="Executable Fingerprint" allowex="False">c6a0c6d85e6fc0ba9b0969e27fae0e89</Param>
          <Param name="Registry Value(s)" allowex="True">\REGISTRY\CURRENT_USER\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1C8\52C64B7E\LANGUAGELIST</Param>
          <Param name="New Data" allowex="True">65006e002d0055005300000065006e0000000000</Param>
        </Params>
      </Event>
      ------------------------------
      04-11 15:32:13 [01888] VIOLATION: [3] ------- Violation ---- Size 1196 ----
      <Event> <!-- Level=Med, Reaction=Prevent -->
        <EventData
        SignatureID="523"
        SignatureName="MSSQL Core Envelope - Registry Mod. by MSSQL"
        SeverityLevel="3"
        Reaction="3"
        ProcessUserName="UK\zz_sql-669"
        Process="D:\MSSQL10_50.SQLPRE02\MSSQL\BINN\SQLSERVR.EXE"
        IncidentTime="2012-02-11 10:32:11"
        AllowEx="True"
        SigRuleClass="Registry"
        ProcessId="2588"
        Session="0"
        SigRuleDirective="modify"/>
        <Params>
          <Param name="Workstation Name" allowex="True">WYCWSQLB001</Param>
          <Param name="Subject Distinguished Name" allowex="False">CN=MICROSOFT CORPORATION, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US</Param>
          <Param name="Subject Organization Name" allowex="False">MICROSOFT CORPORATION</Param>
          <Param name="Executable Description" allowex="False">SQL SERVER WINDOWS NT - 64 BIT</Param>
          <Param name="Executable Fingerprint" allowex="False">c6a0c6d85e6fc0ba9b0969e27fae0e89</Param>
          <Param name="Registry Value(s)" allowex="True">\REGISTRY\CURRENT_USER\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1C8\52C64B7E\LANGUAGELIST</Param>
          <Param name="New Data" allowex="True">65006e002d0055005300000065006e0000000000</Param>
        </Params>
      </Event>