Endpoint Protection SEP rollback when upgrading from 12.1x to 14.0x version

Products

Endpoint Protection

Issue/Introduction

Upgrading SEP from 12.1 RU6 MP3 to 14.0 RU1 MP1 or from any 12.1 version to 14.0, upgrade rolls back.
Manual or remote deployment also fails. Fresh unmanaged package fails too.

From SEP_INST.log

MSI (s) (B0:04) [19:04:01:044]: Invoking remote custom action. DLL:C:\Windows\Installer\MSI314E.tmp, Entrypoint: ShowServiceProgress

ScriptGen: ShowServiceProgress() MSIRUNMODE_SCHEDULED

ScriptGen: ShowServiceProgress() calling WaitForSingleObject(scriptStarted) ...

ScriptGen: ShowServiceProgress() WaitForSingleObject(scriptStarted) returned WAIT_OBJECT_0

ScriptGen: ShowServiceProgress() script execution failed.

ScriptGen: ShowServiceProgress() reset script failure event.

ScriptGen: ShowServiceProgress() is returning an error (so close to the end!)

CustomAction ShowServiceProgress returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)

MSI (s) (B0:C8) [19:04:02:650]: User policy value 'DisableRollback' is 0

MSI (s) (B0:C8) [19:04:02:651]: Machine policy value 'DisableRollback' is 0

Action ended 19:04:02: InstallFinalize. Return value 3.

From SIS_INST.log, we are getting an Access Denied for creating folder in C:\ProgramData folder

2018-05-14T13:34:02.072Z INFO I SIS Executing action ( 22 ) - CopyFile currentPosition: 7338

2018-05-14T13:34:02.072Z INFO I SIS CopyFile Action - C:\Program Files\Symantec\Symantec Endpoint Protection\14.0.3876.1100.105\Bin\FwsVpn.dll -> C:\Windows\system32\FwsVpn.dll

2018-05-14T13:34:02.088Z INFO I SIS CopyFile: target is a file.

2018-05-14T13:34:02.090Z DEBUG I SIS DeleteFileAction: target exists, using CopyFile action to save it to temp area: C:\Windows\system32\FwsVpn.dll

2018-05-14T13:34:02.090Z INFO I SIS CopyFile Action - C:\Windows\system32\FwsVpn.dll -> C:\ProgramData\Symantec\Symantec Endpoint Protection\14.0.3876.1100.105\TransactedTemp\Folder1\file5

2018-05-14T13:34:02.090Z ERROR I SIS openImpl Failed to create file. [\??\C:\ProgramData] Status: 0xC0000022 = {Access Denied} A process has requested access to an object, but has not been granted those access rights.

2018-05-14T13:34:02.091Z ERROR I SIS openImpl Failed to create file. [\??\C:\ProgramData] Status: 0xC0000022 = {Access Denied} A process has requested access to an object, but has not been granted those access rights.

2018-05-14T13:34:02.091Z ERROR I SIS Createfolder: failed to create folder. 0xC0000022

2018-05-14T13:34:02.091Z ERROR I SIS [C:\ProgramData]

2018-05-14T13:34:02.091Z ERROR I SIS Copyfile: createfolder failed.

2018-05-14T13:34:02.091Z ERROR I SIS Copyfile: deletefile failed.

2018-05-14T13:34:02.091Z ERROR I SIS

2018-05-14T13:34:02.091Z ERROR I SIS Dumping action parameters from the script:

2018-05-14T13:34:02.091Z ERROR I SIS SrcPath=[C:\Program Files\Symantec\Symantec Endpoint Protection\14.0.3876.1100.105\Bin\FwsVpn.dll]

2018-05-14T13:34:02.091Z ERROR I SIS DestPath=[C:\Windows\system32\FwsVpn.dll]

2018-05-14T13:34:02.091Z ERROR I SIS SkipWhenMissing=[true]

2018-05-14T13:34:02.091Z INFO I SIS ExecuteScript() - Successfully set failure event.

2018-05-14T13:34:02.093Z INFO I SIS ExecuteScript() returning ACTION_FAILED_WITH_ROLLBACK

2018-05-14T13:34:02.093Z INFO I SIS

2018-05-14T13:34:02.093Z INFO I SIS script completed with status: ACTION_FAILED_WITH_ROLLBACK

2018-05-14T13:34:02.097Z INFO r SIS TransitionToEnteringRollbackScript() - success

2018-05-14T13:34:02.097Z INFO r SIS

2018-05-14T13:34:02.098Z INFO r SIS starting execution of script: C:\Program Files\Symantec\Symantec Endpoint Protection\14.0.3876.1100.105\Scripts\startrollback.sis

2018-05-14T13:34:02.098Z INFO r SIS

2018-05-14T13:34:02.098Z INFO r SIS Executing action ( 23 ) - ShowInstallMessage currentPosition: 2

2018-05-14T13:34:02.098Z INFO r SIS [ShowInstallMessage] message = [Rolling back install]

Evidence from procmon.

>>ccsvchst.exe failed to open C:\ProgramData.

7:04:01.9445046 PM ccSvcHst.exe 7796 5164 IRP_MJ_CREATE C:\ProgramData ACCESS DENIED Desired Access: Read Attributes, Synchronize, Disposition: Open

7:04:01.9553233 PM ccSvcHst.exe 7796 5164 IRP_MJ_CREATE C:\ProgramData ACCESS DENIED Desired Access: Write Attributes, Synchronize, Disposition: OpenIf

7:04:01.9615583 PM ccSvcHst.exe 7796 5164 IRP_MJ_CREATE C:\ProgramData ACCESS DENIED Desired Access: Read Attributes, Synchronize, Disposition: Open

7:04:01.9617910 PM ccSvcHst.exe 7796 5164 IRP_MJ_CREATE C:\ProgramData ACCESS DENIED Desired Access: Write Attributes, Synchronize, Disposition: OpenIf

7:04:01.9933961 PM ccSvcHst.exe 7796 5164 IRP_MJ_CREATE C:\ProgramData ACCESS DENIED Desired Access: Read Attributes, Synchronize, Disposition: Open

7:04:01.9936260 PM ccSvcHst.exe 7796 5164 IRP_MJ_CREATE C:\ProgramData ACCESS DENIED Desired Access: Write Attributes, Synchronize, Disposition: OpenIf

7:04:02.0628275 PM ccSvcHst.exe 7796 5164 IRP_MJ_CREATE C:\ProgramData ACCESS DENIED Desired Access: Read Attributes, Synchronize, Disposition: Open

7:04:02.0630725 PM ccSvcHst.exe 7796 5164 IRP_MJ_CREATE C:\ProgramData ACCESS DENIED Desired Access: Write Attributes, Synchronize, Disposition: OpenIf

7:04:02.0839558 PM ccSvcHst.exe 7796 5164 IRP_MJ_CREATE C:\ProgramData ACCESS DENIED Desired Access: Read Attributes, Synchronize, Disposition: Open

7:04:02.0841938 PM ccSvcHst.exe 7796 5164 IRP_MJ_CREATE C:\ProgramData ACCESS DENIED Desired Access: Write Attributes, Synchronize, Disposition: OpenIf

>>CMD.exe also tried to access C:\ProgramData once and failed with access denied.

7:05:54.4701220 PM cmd.exe 5712 1200 IRP_MJ_CREATE C:\ProgramData ACCESS DENIED Desired Access: Read Data/List Directory, Synchronize, Disposition: Open

CMD.exe was launched by OcsService.exe(OCS Inventory NG Service)

Both these executable are running under NT AUTHORITY\SYSTEM, still not able to access this particular folder only.Other folders are accessible to them.

CCSVCHST.exe can access subfolders and files within C:\ProgramData always.

7:04:01.9573633 PM ccSvcHst.exe 7796 5164 IRP_MJ_CREATE C:\ProgramData\Symantec\Symantec Endpoint Protection\14.0.3876.1100.105\Data\Config\serdef.dat SUCCESS Desired Access: Read Attributes

MsiExec can access C:\ProgramData Always.

7:05:37.7679448 PM msiexec.exe 2736 7368 IRP_MJ_CREATE C:\ProgramData SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open

Setup.exe can access C:\ProgramData.

7:01:44.1451701 PM Setup.exe 7768 6080 IRP_MJ_CREATE C:\ProgramData SUCCESS Desired Access: Read Attributes, Disposition: Open

EfaInst.exe Can Access C:\ProgramData

7:02:12.8338322 PM EFAInst.exe 6856 7344 IRP_MJ_CREATE C:\ProgramData SUCCESS Desired Access: Read Attributes, Disposition: Open

Cause

ccsvchst.exe and cmd.exe can not access the C:\ProgramData
MsiExec.exe can access C:\ProgramData
EfaInst.exe and Setup.exe can also access C:\ProgramData.
ccSvchst can access subfolders under C:\ProgramData

Rollback happened because, ccsvchst can not open C:\ProgramData to copy files.

Its looks like to be an permission issue on C:\ProgramData folder.

Resolution

Add permission for SYSTEM user to C:\ProgramData.
Attempt the upgrade now and it will be successful.