When installing Windows Data Center Security 6.7x agent, installer rolls back while copying files to %temp%


Article ID: 169702


Updated On:


Data Center Security Server Data Center Security Server Advanced


When installing a Windows DCS 6.7.x agent, the installer attempts to copy cacert files to %temp% and the install rolls back.

You have followed the instructions in the following technote, but the install still fails. 



You may see a Windows 1603 error code at the bottom of the agentinstall.log located in the %temp% directory. 

Known MSI errors: 

MSI (s) (A4:44) [14:26:11:691]: Executing op:
with SymEFA.,)
Action 14:26:11: efainst_install.C1599C28_9DB3_446E_AC61_80DD180FF696.
Registering with SymEFA.
MSI (s) (A4:44) [14:26:11:707]: Executing op:
Files (x86)\Symantec\Data Center Security Server\Agent\IPS\bin\EFAInst.exe"
"SYMEFA-CSP" /install /KeepDriverRunning)
MSI (s) (A4:08) [14:26:11:722]: Invoking remote custom action. DLL:
C:\Windows\Installer\MSI2C91.tmp, Entrypoint: EFAInstall
EFAINST_TRACE [14:26:11:816]: --> Starting ValidateCurrentProcess...
EFAINST_TRACE [14:26:11:832]: ValidateCurrentProcess (86) - Initializing verify
EFAINST_TRACE [14:26:11:832]: ValidateCurrentProcess (103) - Get current process
EFAINST_TRACE [14:26:11:847]: ValidateCurrentProcess (107) - Check process path...
EFAINST_TRACE [14:26:11:847]: ValidateCurrentProcess (127) - Validate process
EFAINST_TRACE [14:26:12:004]: ValidateCurrentProcess (136) - Process path validated
EFAINST_TRACE [14:26:12:019]: <-- ValidateCurrentProcess ended
EFAINST_TRACE [14:26:12:019]: --> Starting ExecuteDeferredAction...
EFAINST_TRACE [14:26:12:035]: --> Starting ExecuteCustomActionProperty...
EFAINST_TRACE [14:26:12:035]: ExecuteCustomActionProperty (83) - Checking if
file path exists...
EFAINST_TRACE [14:26:12:035]: --> Starting Validate...
EFAINST_TRACE [14:26:12:051]: Validate (46) - Initializing verify trust...
EFAINST_TRACE [14:26:12:051]: Validate (63) - Verifying file path...
EFAINST_TRACE [14:26:12:129]: Validate (68) - Couldn't successfully validate
C:\Program Files (x86)\Symantec\Data Center Security
Server\Agent\IPS\bin\EFAInst.exe.  ccVTErrorType = 3
EFAINST_TRACE [14:26:12:144]: <-- Validate ended
EFAINST_TRACE [14:26:12:144]: <-- ExecuteCustomActionProperty ended
EFAINST_TRACE [14:26:12:160]: <-- ExecuteDeferredAction ended
Action ended 14:26:12: InstallExecute. Return value 3.



The root CA certificate needs to be at least "VeriSign Class 3 Public Primary Certification Authority - G5". Generally, due to GPO, the agent machine can't get to the internet to download the new cacerts file. This causes the installer to fail, and roll back, as the Root CA certificates are needed to complete the install.  


Multiple version of  Windows Server 

Windows DCS agent version 6.7.859 

Windows DCS agent version 6.7.1060 


Give the agent machine in question internet access so the root CA certificate files can be downloaded during install.  


Upgrade your version of Symantec Endpoint Protection to SEP 14.1, as the root CA certificate, VeriSign Class 3 Public Primary Certification Authority - G5, is available in that version.