Endpoint Protection SEP rollback when upgrading from 12.1x to 14.0x version

book

Article ID: 171885

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Upgrading SEP from 12.1 RU6 MP3 to 14.0 RU1 MP1 or from any 12.1 version to 14.0, upgrade rolls back.
Manual or remote deployment also fails. Fresh unmanaged package fails too.

From SEP_INST.log
MSI (s) (B0:04) [19:04:01:044]: Invoking remote custom action. DLL:C:\Windows\Installer\MSI314E.tmp, Entrypoint: ShowServiceProgress
ScriptGen: ShowServiceProgress() MSIRUNMODE_SCHEDULED
ScriptGen: ShowServiceProgress() calling WaitForSingleObject(scriptStarted) ...
ScriptGen: ShowServiceProgress() WaitForSingleObject(scriptStarted) returned WAIT_OBJECT_0
ScriptGen: ShowServiceProgress() script execution failed.
ScriptGen: ShowServiceProgress() reset script failure event.
ScriptGen: ShowServiceProgress() is returning an error (so close to the end!)
CustomAction ShowServiceProgress returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
MSI (s) (B0:C8) [19:04:02:650]: User policy value 'DisableRollback' is 0
MSI (s) (B0:C8) [19:04:02:651]: Machine policy value 'DisableRollback' is 0
Action ended 19:04:02: InstallFinalize. Return value 3.
 
From SIS_INST.log, we are getting an Access Denied for creating folder in C:\ProgramData folder
2018-05-14T13:34:02.072Z INFO  I SIS    Executing action ( 22 ) - CopyFile currentPosition: 7338
2018-05-14T13:34:02.072Z INFO  I SIS      CopyFile Action - C:\Program Files\Symantec\Symantec Endpoint Protection\14.0.3876.1100.105\Bin\FwsVpn.dll -> C:\Windows\system32\FwsVpn.dll
2018-05-14T13:34:02.088Z INFO  I SIS        CopyFile: target is a file.
2018-05-14T13:34:02.090Z DEBUG I SIS        DeleteFileAction: target exists, using CopyFile action to save it to temp area: C:\Windows\system32\FwsVpn.dll
2018-05-14T13:34:02.090Z INFO  I SIS        CopyFile Action - C:\Windows\system32\FwsVpn.dll -> C:\ProgramData\Symantec\Symantec Endpoint Protection\14.0.3876.1100.105\TransactedTemp\Folder1\file5
2018-05-14T13:34:02.090Z ERROR I SIS          openImpl Failed to create file. [\??\C:\ProgramData] Status: 0xC0000022 = {Access Denied}  A process has requested access to an object, but has not been granted those access rights.  
2018-05-14T13:34:02.091Z ERROR I SIS          openImpl Failed to create file. [\??\C:\ProgramData] Status: 0xC0000022 = {Access Denied}  A process has requested access to an object, but has not been granted those access rights.  
2018-05-14T13:34:02.091Z ERROR I SIS          Createfolder: failed to create folder. 0xC0000022
2018-05-14T13:34:02.091Z ERROR I SIS          [C:\ProgramData]
2018-05-14T13:34:02.091Z ERROR I SIS          Copyfile: createfolder failed.
2018-05-14T13:34:02.091Z ERROR I SIS        Copyfile: deletefile failed.
2018-05-14T13:34:02.091Z ERROR I SIS         
2018-05-14T13:34:02.091Z ERROR I SIS        Dumping action parameters from the script:
2018-05-14T13:34:02.091Z ERROR I SIS          SrcPath=[C:\Program Files\Symantec\Symantec Endpoint Protection\14.0.3876.1100.105\Bin\FwsVpn.dll]
2018-05-14T13:34:02.091Z ERROR I SIS         DestPath=[C:\Windows\system32\FwsVpn.dll]
2018-05-14T13:34:02.091Z ERROR I SIS          SkipWhenMissing=[true]
2018-05-14T13:34:02.091Z INFO  I SIS        ExecuteScript() - Successfully set failure event.
2018-05-14T13:34:02.093Z INFO  I SIS    ExecuteScript() returning ACTION_FAILED_WITH_ROLLBACK
2018-05-14T13:34:02.093Z INFO  I SIS   
2018-05-14T13:34:02.093Z INFO  I SIS  script completed with status: ACTION_FAILED_WITH_ROLLBACK
2018-05-14T13:34:02.097Z INFO  r SIS  TransitionToEnteringRollbackScript() - success
2018-05-14T13:34:02.097Z INFO  r SIS     
2018-05-14T13:34:02.098Z INFO  r SIS    starting execution of script: C:\Program Files\Symantec\Symantec Endpoint Protection\14.0.3876.1100.105\Scripts\startrollback.sis
2018-05-14T13:34:02.098Z INFO  r SIS     
2018-05-14T13:34:02.098Z INFO  r SIS    Executing action ( 23 ) - ShowInstallMessage  currentPosition: 2
2018-05-14T13:34:02.098Z INFO  r SIS      [ShowInstallMessage] message = [Rolling back install]
 
Evidence from procmon.
>>ccsvchst.exe failed to open C:\ProgramData.
7:04:01.9445046 PM ccSvcHst.exe 7796 5164 IRP_MJ_CREATE C:\ProgramData ACCESS DENIED Desired Access: Read Attributes, Synchronize, Disposition: Open
7:04:01.9553233 PM ccSvcHst.exe 7796 5164 IRP_MJ_CREATE C:\ProgramData ACCESS DENIED Desired Access: Write Attributes, Synchronize, Disposition: OpenIf
7:04:01.9615583 PM ccSvcHst.exe 7796 5164 IRP_MJ_CREATE C:\ProgramData ACCESS DENIED Desired Access: Read Attributes, Synchronize, Disposition: Open
7:04:01.9617910 PM ccSvcHst.exe 7796 5164 IRP_MJ_CREATE C:\ProgramData ACCESS DENIED Desired Access: Write Attributes, Synchronize, Disposition: OpenIf
7:04:01.9933961 PM ccSvcHst.exe 7796 5164 IRP_MJ_CREATE C:\ProgramData ACCESS DENIED Desired Access: Read Attributes, Synchronize, Disposition: Open
7:04:01.9936260 PM ccSvcHst.exe 7796 5164 IRP_MJ_CREATE C:\ProgramData ACCESS DENIED Desired Access: Write Attributes, Synchronize, Disposition: OpenIf
7:04:02.0628275 PM ccSvcHst.exe 7796 5164 IRP_MJ_CREATE C:\ProgramData ACCESS DENIED Desired Access: Read Attributes, Synchronize, Disposition: Open
7:04:02.0630725 PM ccSvcHst.exe 7796 5164 IRP_MJ_CREATE C:\ProgramData ACCESS DENIED Desired Access: Write Attributes, Synchronize, Disposition: OpenIf
7:04:02.0839558 PM ccSvcHst.exe 7796 5164 IRP_MJ_CREATE C:\ProgramData ACCESS DENIED Desired Access: Read Attributes, Synchronize, Disposition: Open
7:04:02.0841938 PM ccSvcHst.exe 7796 5164 IRP_MJ_CREATE C:\ProgramData ACCESS DENIED Desired Access: Write Attributes, Synchronize, Disposition: OpenIf
 
>>CMD.exe also tried to access C:\ProgramData once and failed with access denied.
7:05:54.4701220 PM cmd.exe         5712 1200 IRP_MJ_CREATE C:\ProgramData ACCESS DENIED Desired Access: Read Data/List Directory, Synchronize, Disposition: Open
 
CMD.exe was launched by OcsService.exe(OCS Inventory NG Service) 
Both these executable are running under NT AUTHORITY\SYSTEM, still not able to access this particular folder only.Other folders are accessible to them.
 
CCSVCHST.exe can access subfolders and files within C:\ProgramData always.
7:04:01.9573633 PM ccSvcHst.exe 7796 5164 IRP_MJ_CREATE C:\ProgramData\Symantec\Symantec Endpoint Protection\14.0.3876.1100.105\Data\Config\serdef.dat SUCCESS Desired Access: Read Attributes
 
MsiExec can access C:\ProgramData Always.
7:05:37.7679448 PM msiexec.exe 2736 7368 IRP_MJ_CREATE C:\ProgramData SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open
 
Setup.exe can access C:\ProgramData.
7:01:44.1451701 PM Setup.exe 7768 6080 IRP_MJ_CREATE C:\ProgramData SUCCESS Desired Access: Read Attributes, Disposition: Open
 
EfaInst.exe Can Access C:\ProgramData
7:02:12.8338322 PM EFAInst.exe 6856 7344 IRP_MJ_CREATE C:\ProgramData SUCCESS Desired Access: Read Attributes, Disposition: Open

Cause

ccsvchst.exe and cmd.exe can not access the C:\ProgramData
MsiExec.exe can access C:\ProgramData
EfaInst.exe and Setup.exe can also access C:\ProgramData.
ccSvchst can access subfolders under C:\ProgramData

Rollback happened because, ccsvchst can not open C:\ProgramData to copy files. 

Its looks like to be an permission issue on C:\ProgramData folder.

Resolution

Add permission for SYSTEM user to C:\ProgramData.
Attempt the upgrade now and it will be successful.