Windows 2012 R2: McAfee Host Intrusion Prevention Causes Application Faults in 12c Lsnrctl and TNSPing (Doc ID 2215889.1)

Last updated on JANUARY 06, 2017

Applies to:

Oracle Net Services - Version 12.1.0.1 to 12.2 BETA1 [Release 12.1 to 12.2]
Information in this document applies to any platform.

Symptoms

Event type APPCRASH  Windows event viewer for Oracle application.

Windows APPCRASH log.

 

Problem Description :
================

The following executables were generating application faults in KERNELBASE.DLL as shown in the Windows Application Event Log on both primary and database servers.

 

All errors were similar to below (taken from Application Log on the primary server). Event ID was 1000:

Faulting application name: lsnrctl.exe, version: 12.1.0.2, time stamp: 0x53e0c278
Faulting module name: KERNELBASE.dll, version: 6.3.9600.18340, time stamp: 0x57366075
Exception code: 0x80000003
Fault offset: 0x00000000000de2d2
Faulting process id: 0x2218
Faulting application start time: 0x01d23fc4b3dd3239
Faulting application path: C:\Oracle\product\12.1.0\grid\bin\lsnrctl.exe
Faulting module path: C:\Windows\system32\KERNELBASE.dll
Report Id: f5a06318-abb7-11e6-80fb-14187726f9ac
Faulting package full name:
Faulting package-relative application ID:

 

Version=1
EventType=APPCRASH
EventTime=131224159026761508
ReportType=2
Consent=1
UploadTime=131237937477382030
ReportIdentifier=a65465d2-9fa0-11e6-80f9-14187726f9ac
IntegratorReportIdentifier=a65465d1-9fa0-11e6-80f9-14187726f9ac
NsAppName=LSNRCTL.EXE
Response.type=4
Sig[0].Name=Application Name
Sig[0].Value=LSNRCTL.EXE
Sig[1].Name=Application Version
Sig[1].Value=12.1.0.2
Sig[2].Name=Application Timestamp
Sig[2].Value=53e0c278
Sig[3].Name=Fault Module Name
Sig[3].Value=KERNELBASE.dll
Sig[4].Name=Fault Module Version
Sig[4].Value=6.3.9600.18340
Sig[5].Name=Fault Module Timestamp
Sig[5].Value=57366075
Sig[6].Name=Exception Code
Sig[6].Value=80000003
Sig[7].Name=Exception Offset
Sig[7].Value=00000000000de2d2
DynamicSig[1].Name=OS Version
DynamicSig[1].Value=6.3.9600.2.0.0.272.7
DynamicSig[2].Name=Locale ID
DynamicSig[2].Value=1033
DynamicSig[22].Name=Additional Information 1
DynamicSig[22].Value=debf
DynamicSig[23].Name=Additional Information 2
DynamicSig[23].Value=debfb677c5eef05c6b5026ecf647042a
DynamicSig[24].Name=Additional Information 3
DynamicSig[24].Value=0345
DynamicSig[25].Name=Additional Information 4
DynamicSig[25].Value=034589c53b94791e4c79508e0db655ea
UI[2]=C:\Oracle\product\12.1.0\grid\bin\LSNRCTL.EXE
UI[5]=Check online for a solution (recommended)
UI[6]=Check for a solution later (recommended)
UI[7]=Close
UI[8]=Oracle LSNRCTL Executable stopped working and was closed
UI[9]=A problem caused the application to stop working correctly. Windows will notify you if a solution is available.
UI[10]=&Close
LoadedModule[0]=C:\Oracle\product\12.1.0\grid\bin\LSNRCTL.EXE
LoadedModule[1]=C:\Windows\SYSTEM32\ntdll.dll
LoadedModule[2]=C:\Windows\system32\KERNEL32.DLL
LoadedModule[3]=C:\Windows\system32\KERNELBASE.dll
LoadedModule[4]=C:\Oracle\product\12.1.0\grid\bin\oracore12.dll
LoadedModule[5]=C:\Windows\SYSTEM32\MSVCR100.dll
LoadedModule[6]=C:\Oracle\product\12.1.0\grid\bin\oracommon12.dll
LoadedModule[7]=C:\Oracle\product\12.1.0\grid\bin\orageneric12.dll
LoadedModule[8]=C:\Oracle\product\12.1.0\grid\bin\oranl12.dll
LoadedModule[9]=C:\Oracle\product\12.1.0\grid\bin\oran12.dll
LoadedModule[10]=C:\Oracle\product\12.1.0\grid\bin\orauts.dll
LoadedModule[11]=C:\Oracle\product\12.1.0\grid\bin\oranls12.dll
LoadedModule[12]=C:\Oracle\product\12.1.0\grid\bin\oraunls12.dll
LoadedModule[13]=C:\Windows\system32\ole32.dll
LoadedModule[14]=C:\Windows\system32\PSAPI.DLL
LoadedModule[15]=C:\Windows\system32\WS2_32.dll
LoadedModule[16]=C:\Windows\system32\ADVAPI32.dll
LoadedModule[17]=C:\Windows\system32\USER32.dll
LoadedModule[18]=C:\Oracle\product\12.1.0\grid\bin\orasnls12.dll
LoadedModule[19]=C:\Oracle\product\12.1.0\grid\bin\oraclient12.dll
LoadedModule[20]=C:\Oracle\product\12.1.0\grid\bin\oraasmclnt12.dll
LoadedModule[21]=C:\Oracle\product\12.1.0\grid\bin\oraxml12.dll
LoadedModule[22]=C:\Oracle\product\12.1.0\grid\bin\orannzsbb12.dll
LoadedModule[23]=C:\Oracle\product\12.1.0\grid\bin\orapls12.dll
LoadedModule[24]=C:\Oracle\product\12.1.0\grid\bin\oracell12.dll
LoadedModule[25]=C:\Windows\SYSTEM32\NETAPI32.dll
LoadedModule[26]=C:\Oracle\product\12.1.0\grid\bin\orawsec12.dll
LoadedModule[27]=C:\Windows\SYSTEM32\wsnmp32.dll
LoadedModule[28]=C:\Oracle\product\12.1.0\grid\bin\orahasgen12.dll
LoadedModule[29]=C:\Oracle\product\12.1.0\grid\bin\oraocr12.dll
LoadedModule[30]=C:\Oracle\product\12.1.0\grid\bin\orazt12.dll
LoadedModule[31]=C:\Windows\system32\imagehlp.dll
LoadedModule[32]=C:\Windows\system32\SHELL32.dll
LoadedModule[33]=C:\Oracle\product\12.1.0\grid\bin\orantcp12.dll
LoadedModule[34]=C:\Oracle\product\12.1.0\grid\bin\oranldap12.dll
LoadedModule[35]=C:\Windows\SYSTEM32\IPHLPAPI.DLL
LoadedModule[36]=C:\Oracle\product\12.1.0\grid\bin\orancrypt12.dll
LoadedModule[37]=C:\Oracle\product\12.1.0\grid\bin\oranro12.dll
LoadedModule[38]=C:\Oracle\product\12.1.0\grid\bin\oranhost12.dll
LoadedModule[39]=C:\Oracle\product\12.1.0\grid\bin\orancds12.dll
LoadedModule[40]=C:\Oracle\product\12.1.0\grid\bin\orantns12.dll
LoadedModule[41]=C:\Oracle\product\12.1.0\grid\bin\oraztkg12.dll
LoadedModule[42]=C:\Windows\system32\OLEAUT32.dll
LoadedModule[43]=C:\Windows\SYSTEM32\combase.dll
LoadedModule[44]=C:\Windows\system32\msvcrt.dll
LoadedModule[45]=C:\Windows\system32\RPCRT4.dll
LoadedModule[46]=C:\Windows\SYSTEM32\sechost.dll
LoadedModule[47]=C:\Windows\system32\GDI32.dll
LoadedModule[48]=C:\Windows\system32\NSI.dll
LoadedModule[49]=C:\Oracle\product\12.1.0\grid\bin\oraons.dll
LoadedModule[50]=C:\Oracle\product\12.1.0\grid\bin\oraldapclnt12.dll
LoadedModule[51]=C:\Oracle\product\12.1.0\grid\bin\orasql12.dll
LoadedModule[52]=C:\Windows\SYSTEM32\WSOCK32.dll
LoadedModule[53]=C:\Windows\SYSTEM32\MSVCP100.dll
LoadedModule[54]=C:\Windows\system32\CRYPT32.dll
LoadedModule[55]=C:\Windows\SYSTEM32\CRYPTUI.dll
LoadedModule[56]=C:\Oracle\product\12.1.0\grid\bin\oraslax12.dll
LoadedModule[57]=C:\Oracle\product\12.1.0\grid\bin\oravsn12.dll
LoadedModule[58]=C:\Oracle\product\12.1.0\grid\bin\oraplp12.dll
LoadedModule[59]=C:\Windows\SYSTEM32\netutils.dll
LoadedModule[60]=C:\Windows\SYSTEM32\srvcli.dll
LoadedModule[61]=C:\Windows\SYSTEM32\wkscli.dll
LoadedModule[62]=C:\Windows\SYSTEM32\SAMCLI.DLL
LoadedModule[63]=C:\Windows\SYSTEM32\Secur32.dll
LoadedModule[64]=C:\Oracle\product\12.1.0\grid\bin\oraocrutl12.dll
LoadedModule[65]=C:\Oracle\product\12.1.0\grid\bin\oraclsce12.dll
LoadedModule[66]=C:\Oracle\product\12.1.0\grid\bin\oraocrb12.dll
LoadedModule[67]=C:\Windows\system32\SHLWAPI.dll
LoadedModule[68]=C:\Windows\SYSTEM32\WINNSI.DLL
LoadedModule[69]=C:\Windows\system32\SspiCli.dll
LoadedModule[70]=C:\Oracle\product\12.1.0\grid\bin\OCI.dll
LoadedModule[71]=C:\Windows\system32\MSASN1.dll
LoadedModule[72]=C:\Windows\SYSTEM32\LOGONCLI.DLL
LoadedModule[73]=C:\Windows\system32\napinsp.dll
LoadedModule[74]=C:\Windows\system32\NLAapi.dll
LoadedModule[75]=C:\Windows\System32\mswsock.dll
LoadedModule[76]=C:\Windows\SYSTEM32\DNSAPI.dll
LoadedModule[77]=C:\Windows\System32\winrnr.dll
LoadedModule[78]=C:\Windows\System32\rasadhlp.dll
LoadedModule[79]=C:\Windows\System32\fwpuclnt.dll
LoadedModule[80]=C:\Program Files\McAfee\Host Intrusion Prevention\HcApi.dll
LoadedModule[81]=C:\Program Files\McAfee\Host Intrusion Prevention\HcThe.dll
File[0].CabName=AppCompat.txt
File[0].Path=WERE498.tmp.appcompat.txt
File[0].Flags=16842754
File[0].Type=5
File[0].Original.Path=C:\Windows\Temp\WERE498.tmp.appcompat.txt
File[1].CabName=WERInternalMetadata.xml
File[1].Path=WERED72.tmp.WERInternalMetadata.xml
File[1].Flags=327682
File[1].Type=5
File[1].Original.Path=C:\Windows\Temp\WERED72.tmp.WERInternalMetadata.xml
File[2].CabName=memory.hdmp
File[2].Path=memory.hdmp
File[2].Flags=807403520
File[2].Type=3
File[3].CabName=triagedump.dmp
File[3].Path=triagedump.dmp
File[3].Flags=807731202
File[3].Type=6
FriendlyEventName=Stopped working
ConsentKey=APPCRASH
AppName=Oracle LSNRCTL Executable
AppPath=C:\Oracle\product\12.1.0\grid\bin\LSNRCTL.EXE
NsPartner=windows
NsGroup=windows8
ApplicationIdentity=D7EAEB674690AEBFED54C46D56A7E5F1

The executables listed below would crash often without any effect to the listener.

C:\Oracle\agent12c\core\12.1.0.5.0\perl\bin\perl.exe
C:\Oracle\product\12.1.0\grid\bin\lsnrctl.exe
C:\Oracle\product\12.1.0\grid\BIN\tnsping.exe

 

Generated Dump files below :

======================

Events also caused Windows Error Reporting (WER) to generate dump files in C:\ProgramData\Microsoft\Windows\WER\ReportQueue. Dump files were provided to Microsoft Support for analysis. They identified that the symbols were showing a problem in McAfee’s Host Intrusion component HcApi.dll, version 8.0.0.3363, as the cause of the failure.

0007ff9'4ef60000 00007ff9'4f007000 HcApi T (no symbols)
Loaded symbol image file: HcApi.dll
Image path: C:\Program Files\McAfee\Host Intrusion Prevention\HcApi.dll
Image name: HcApi.dll
Browse all global symbols functions data
Timestamp: Wed Jun 10 13:39:42 2015 (5578846E)
CheckSum: 000476E9
ImageSize: 000A7000
File version: 8.0.0.3363
Product version: 8.0.0.3363
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4

 

Changes

Exclude the Oracle executables from Host Intrusion scans.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms