Aug 01 2022 12:41 AM - edited Aug 01 2022 06:40 AM
Hello,
These logs are from an attempted install on RHEL. Looking for a steer if anyone has seen these before
OS: Oracle Linux v7.9
Kernel: 3.10.0-1160.71.1.0.1.el7
mdatp: 101.62.74
python: 2.7.5
sqlite: 3.7.17
Issue 1
/var/log/microsoft/mdatp/microsoft_defender_v2.log
Exceeded execution count
Metastore SQL DB version is out of date. Attempting migration from 32.
sqlite3_exec Error:database disk image is malformed
SQL:DROP TABLE IF EXISTS SQLiteGlobals; CREATE TABLE SQLiteGlobals(ID INTEGER PRIMARY KEY NOT NULL, Version INTEGER NOT NULL, Current BOOLEAN NOT NULL, LastUpdated TEXT NULL);, HRes:0x87af000b
MetaStore is unavailable. Persistence of RollingQueues will not work.
Issue 2
/var/log/microsoft/mdatp/microsoft_defender_v2.log
[7513][2022-07-26 22:25:56.600710 UTC][info]: number of process starts has been exceeded
[7513][2022-07-26 22:27:56.628675 UTC][info]: number of process starts has been exceeded
[7513][2022-07-26 22:28:56.629098 UTC][info]: number of process starts has been exceeded
[7513][2022-07-26 22:29:56.629821 UTC][info]: number of process starts has been exceeded
[7513][2022-07-26 22:30:56.630817 UTC][info]: number of process starts has been exceeded
[7513][2022-07-26 22:31:41.100805 UTC][info]: number of process starts has been exceeded
[7513][2022-07-26 22:31:56.631628 UTC][info]: number of process starts has been exceeded
Thanks in anticipation
Aug 01 2022 07:23 PM
@rob_wood_8894
Can you kindly share the o/p of mdatp health.
The second log message should be fixed in the latest engine. I will check and get back on the first one once i have the o/p of mdatp health.
Aug 02 2022 06:15 AM - edited Aug 02 2022 06:16 AM
@Srinivas_Koripellawhat do you mean by engine? we have latest sqlite installed
$ sudo yum install sqlite
Loaded plugins: langpacks, ulninfo
Package sqlite-3.7.17-8.el7_7.1.x86_64 already installed and latest version
Aug 02 2022 06:22 AM
@shorif2000 Engine version is the one you see in the mdatp health o/p. If you can give me the o/p of the entire mdatp health output, i can do a quick check and see if i can find something.
healthy : true
health_issues : []
licensed : true
engine_version : "1.1.19530.0"
app_version : "101.73.77"
Aug 02 2022 06:26 AM
# rpm -qi mdatp
Name : mdatp
Version : 101.62.74
Release : 1
Architecture: x86_64
Install Date: Mon 25 Apr 2022 09:25:34 AM CEST
Group : Security
Size : 215084698
License : Copyright _ Microsoft Corporation. All rights reserved.
Signature : RSA/SHA256, Fri 18 Mar 2022 08:14:03 AM CET, Key ID eb3e94adbe1229cf
Source RPM : mdatp-101.62.74-1.src.rpm
Build Date : Fri 18 Mar 2022 07:53:39 AM CET
Build Host : 41296f29c000000.fhgjolb4bomu5fsgjg1ymvbkqg.bx.internal.cloudapp.net
Relocations : /opt/microsoft/mdatp
Vendor : Microsoft
Summary : Microsoft Defender (Production)
Description :
Microsoft Defender is a complete endpoint
security solution. It delivers preventative protection, post-breach
detection, automated investigation, and response.
Aug 02 2022 06:32 AM
Aug 02 2022 07:34 AM
healthy : true
health_issues : []
licensed : true
engine_version : "3.0"
engine_version_v2 : "1.1.19300.3"
app_version : "101.62.74"
org_id : "39e745ca-d6d2-45c4-ac34-e27e7bf61c88"
log_level : "info"
machine_guid : "42320a30-3a17-a292-ec2a-9921925175b9"
release_ring : "Production"
product_expiration : Dec 13, 2022 at 06:10:49 AM
cloud_enabled : true
cloud_automatic_sample_submission_consent : "safe"
cloud_diagnostic_enabled : true
passive_mode_enabled : false
real_time_protection_enabled : true
real_time_protection_available : true
real_time_protection_subsystem : "fanotify"
supplementary_events_subsystem : "auditd"
tamper_protection : "disabled"
automatic_definition_update_enabled : true
definitions_updated : Aug 01, 2022 at 09:52:27 AM
definitions_updated_minutes_ago : 26
definitions_version : "88461"
definitions_status : "up_to_date"
edr_early_preview_enabled : "enabled"
edr_device_tags : []
edr_group_ids : ""
edr_configuration_version : "30.199999.7572753.5582739.6176165-0f3e8bdca3247cca0e4b0455709f097d0dac9c58"
edr_machine_id : "7692be90965e9ec5415102ed4f23bfcca9ca34ea"
conflicting_applications : []
network_protection_status : "stopped"
Aug 02 2022 07:08 PM
@shorif2000 Mind filing a case and sharing the diagnostic files from "mdatp diagnostic create" on that?
These errors could be harmless/benign but would need the logs to confirm to see if recovery is working fine.
Aug 04 2022 07:56 AM