search cancel

SEP 14.3 ru3 Rolls back to previous version on install with NO MSI error code.

book

Article ID: 226033

calendar_today

Updated On:

Products

Endpoint Protection Endpoint Protection Cloud Endpoint Protection for VDI

Issue/Introduction

During the install of SEP 14.3 RU3 (on-prem, Cloud or VDI) you see the install rollback to the previous version. 

When you review the MSI####.LOG from the attempt you see the install is recorded as successful,  but also lists an MSI error 2265 with no additional notation on the error code.  The 2265 error code is a file access rights issue (failed to commit) indicating while attempting a write or close file operation another process halted the task. 


MSI LOG---------------------------------------------------------------------------------------
MSI (s) (94:AC) [11:52:03:057]: Note: 1: 1707 
MSI (s) (94:AC) [11:52:03:057]: Product: Symantec Endpoint Protection -- Installation operation completed successfully.MSI (s) (94:AC) [11:52:03:057]: Windows Installer installed the product. Product Name: Symantec Endpoint Protection. Product Version: 14.3.4615.2000. Product Language: 1033. Manufacturer: Broadcom. Installation success or error status: 0.
MSI (s) (94:AC) [11:52:03:073]: Deferring clean up of packages/files, if any exist
MSI (s) (94:AC) [11:52:03:073]: MainEngineThread is returning 0
MSI (s) (94:B8) [11:52:03:073]: No System Restore sequence number for this installation.
=== Logging stopped: 10/1/2021  11:52:03 ===
MSI (s) (94:B8) [11:52:03:088]: User policy value 'DisableRollback' is 0
MSI (s) (94:B8) [11:52:03:088]: Machine policy value 'DisableRollback' is 0
MSI (s) (94:B8) [11:52:03:088]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (94:B8) [11:52:03:088]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 
MSI (s) (94:B8) [11:52:03:088]: Note: 1: 2265 2:  3: -2147287035 
MSI (s) (94:B8) [11:52:03:088]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 
MSI (s) (94:B8) [11:52:03:088]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1
MSI (s) (94:B8) [11:52:03:088]: Destroying RemoteAPI object.
MSI (s) (94:50) [11:52:03:088]: Custom Action Manager thread ending.
MSI (c) (20:D0) [11:52:03:104]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1
MSI (c) (20:D0) [11:52:03:104]: MainEngineThread is returning 0
=== Verbose logging stopped: 10/1/2021  11:52:03 ===
----------------------------------------------------------------------------------------------------




Checking the SISINST.LOG you may see only one error :
----------------------------------------------------------------------------------------------------
2021-10-01T17:40:08.776Z ERROR I SIS      File C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.3.4615.2000.105\bin\ELAMInst.exe is not trusted. Verification result: 3
2021-10-01T17:40:08.776Z INFO  I SIS        ExecuteScript() - Successfully set failure event.
2021-10-01T17:40:08.776Z INFO  I SIS    ExecuteScript() returning ACTION_FAILED_WITH_ROLLBACK
----------------------------------------------------------------------------------------------------

The above SISINST.LOG error is the trigger for the MSI####.LOG 2265 error code. Windows rejected a driver registration, in this case for ELAM,  (Early launch malware).  This failed driver registration caused a rollback that the MSI log did not list.


Cause

The ELAMInst.exe is not trusted. Verification result: 3 is an error when the local OS (Windows) failed to verify the code signing certificate listed with the ELAM driver.  Elam for Windows has more stringent code signing requirements to prevent boot time exploitation and it rejected the SEP driver due to a CERT lookup error. 

In this case finding the root cause was missing Code signing ROOT certificates from DIGICERT in the windows certificate store.  


Environment

All versions of supported Windows 10, 2016, 2019 and 2022.
All versions of SEP 14.2 ru2 and higher
All versions of SEP 14.3 and higher


Resolution

In this case instance the resolution was to install the DigiCert High Assurance Code Signing CA-1 from Digicert's ROOT certificate store available freely online,  or running Windows update to a WSUS containing the updated Digicert ROOT certificates or the Public Windows Update servers. 

After install of the certificates the Symantec Endpoint install should proceed normally unless there is a read-rights issue to the local OS's Root certificate store.


Digicert public Root certificate page:
https://www.digicert.com/kb/digicert-root-certificates.htm#roots

** For licensing and redistributable reasons Broadcom cannot host the required CERT files for download.  Please download the required files from the link above.


Additional Information

Attachments