search cancel

Symantec cmc firewall sysfer Process injection causes SQL Server prerformance issues.

book

Article ID: 215714

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

When certain modules are loaded into the Microsoft SQL Server process address space (Sqlservr.exe), you may encounter the following symptoms:

  • Reports of various hang-related error messages and conditions (for example, SQL Server scheduler message such as 17883, application time-out messages, severe blocking within SQL Server)
  • Very slow response from SQL Server even if the concurrent amount of load is not unusually heavy.
  • Exceptions (such as access violations), critical error messages about database consistency, assertion messages or unexpected process termination
  • 100% CPU utilization and long database recovery times when you use in-memory OLTP tables in SQL Server.

Cause

Application and Device Control can inject Symantec cmc firewall sysfer into processes as part of its operation.

Resolution

Exclude SQLservr.exe from the exclusions section in SEPM.

  1. In the SEPM console, browse under Policies > Exceptions.
  2. Edit the policy applied to any SQL Server experiencing this issue.
  3. Add an exclusion for SQLServr.exe.

Here are samples of other exclusions:

%[SYSTEM]%\audiodg.exe (Audio Device)
%[SYSTEM]%\mfpmp.exe (Media Foundation Protected Pipeline)
%[SYSTEM]%\werfault.exe (Windows Problem Reporting)
%[SYSTEM]%\werfaultsecure.exe (Windows Fault Reporting)
%[SYSTEM]%\wermgr.exe (Windows Error Reporting Manager/ Windows Problem Reporting)

Once SQL Server is excluded, it should no longer inject itself into the process.

On my setup (SQL 2016) the location was: C:\Program Files\Microsoft SQL Server\MSSQL14.SEPMDB\MSSQL\Binn

A restart of the SQL Server or the SQL Server services is required to clear the injection.