When installing Windows Data Center Security 6.7x agent, installer rolls back while copying files to %temp%

book

Article ID: 169702

calendar_today

Updated On:

Products

Data Center Security Server Data Center Security Server Advanced

Issue/Introduction

When installing a Windows DCS 6.7.x agent, the installer attempts to copy cacert files to %temp% and the install rolls back.

You have followed the instructions in the following technote, but the install still fails. 

http://www.symantec.com/docs/TECH236869

 

You may see a Windows 1603 error code at the bottom of the agentinstall.log located in the %temp% directory. 

Known MSI errors: 

MSI (s) (A4:44) [14:26:11:691]: Executing op:
ActionStart(Name=efainst_install.C1599C28_9DB3_446E_AC61_80DD180FF696,Description=Registering
with SymEFA.,)
Action 14:26:11: efainst_install.C1599C28_9DB3_446E_AC61_80DD180FF696.
Registering with SymEFA.
MSI (s) (A4:44) [14:26:11:707]: Executing op:
CustomActionSchedule(Action=efainst_install.C1599C28_9DB3_446E_AC61_80DD180FF696,ActionType=3073,Source=BinaryData,Target=EFAInstall,CustomActionData="C:\Program
Files (x86)\Symantec\Data Center Security Server\Agent\IPS\bin\EFAInst.exe"
"SYMEFA-CSP" /install /KeepDriverRunning)
MSI (s) (A4:08) [14:26:11:722]: Invoking remote custom action. DLL:
C:\Windows\Installer\MSI2C91.tmp, Entrypoint: EFAInstall
EFAINST_TRACE [14:26:11:816]: --> Starting ValidateCurrentProcess...
EFAINST_TRACE [14:26:11:832]: ValidateCurrentProcess (86) - Initializing verify
trust...
EFAINST_TRACE [14:26:11:832]: ValidateCurrentProcess (103) - Get current process
info...
EFAINST_TRACE [14:26:11:847]: ValidateCurrentProcess (107) - Check process path...
EFAINST_TRACE [14:26:11:847]: ValidateCurrentProcess (127) - Validate process
path...
EFAINST_TRACE [14:26:12:004]: ValidateCurrentProcess (136) - Process path validated
EFAINST_TRACE [14:26:12:019]: <-- ValidateCurrentProcess ended
EFAINST_TRACE [14:26:12:019]: --> Starting ExecuteDeferredAction...
EFAINST_TRACE [14:26:12:035]: --> Starting ExecuteCustomActionProperty...
EFAINST_TRACE [14:26:12:035]: ExecuteCustomActionProperty (83) - Checking if
file path exists...
EFAINST_TRACE [14:26:12:035]: --> Starting Validate...
EFAINST_TRACE [14:26:12:051]: Validate (46) - Initializing verify trust...
EFAINST_TRACE [14:26:12:051]: Validate (63) - Verifying file path...
EFAINST_TRACE [14:26:12:129]: Validate (68) - Couldn't successfully validate
C:\Program Files (x86)\Symantec\Data Center Security
Server\Agent\IPS\bin\EFAInst.exe.  ccVTErrorType = 3
EFAINST_TRACE [14:26:12:144]: <-- Validate ended
EFAINST_TRACE [14:26:12:144]: <-- ExecuteCustomActionProperty ended
EFAINST_TRACE [14:26:12:160]: <-- ExecuteDeferredAction ended
Action ended 14:26:12: InstallExecute. Return value 3.

Cause

 

The root CA certificate needs to be at least "VeriSign Class 3 Public Primary Certification Authority - G5". Generally, due to GPO, the agent machine can't get to the internet to download the new cacerts file. This causes the installer to fail, and roll back, as the Root CA certificates are needed to complete the install.  

Environment

Multiple version of  Windows Server 

Windows DCS agent version 6.7.859 

Windows DCS agent version 6.7.1060 

Resolution

Give the agent machine in question internet access so the root CA certificate files can be downloaded during install.  

OR

Upgrade your version of Symantec Endpoint Protection to SEP 14.1, as the root CA certificate, VeriSign Class 3 Public Primary Certification Authority - G5, is available in that version.