Product install or upgrade issues due to missing root certificates

Technical Articles ID: KB87096
Last Modified: 2/11/2021

Environment

McAfee Active Response (MAR) 2.x

McAfee Agent (MA) 5.x

McAfee Application and Change Control (MACC) 8.x

McAfee Data Exchange Layer (DXL) 5.x

McAfee Data Loss Prevention Endpoint (DLP Endpoint) 11.x

McAfee Endpoint Intelligence Agent (EIA) 2.x

McAfee Endpoint Security (ENS) Firewall 10.x

McAfee ENS Platform (Common) 10.x

McAfee ENS Threat Prevention 10.x

McAfee ENS Web Control 10.x

McAfee Host Intrusion Prevention (Host IPS) 8.0

McAfee Threat Intelligence Exchange Module (TIEm) for VirusScan Enterprise 1.x

McAfee VirusScan Enterprise (VSE) 8.8

Problem

You see any of the following issues when you try to install or upgrade a McAfee product:

NOTE: Click to expand the sections you want to view.

McAfee product installation or upgrade fails

An installation or upgrade fails for any of the products listed in the Environment section of this article.

The failure can occur when you install or upgrade the basic ENS platform. This failure can also impact the installation or upgrade of any ENS platform modules.

The following errors are logged:

VSE VSEInst_xxxxxx_xxxxxx.log:

!> Error - SysCore install failed: 255
<= leave custom action Install_SysCore()
CustomAction Install_SysCore returned actual error code 1603 (Note: This code might not be 100% accurate if translation happened inside sandbox)
Fin de la acción 12:28:11: InstallExecute. Return value 3.
MSI (s) (98:70) [12:28:11:908]: Note: 1: 2265 2: 3: -2147287035

Or:

>> Installing SysCore: "C:\Program Files (x86)\McAfee\VirusScan Enterprise\VSCore\x64\mfehidin.exe" -i VSE88P9 -q -mfetrust_killbit –oastrust_off -l "C:\Users\asmith\AppData\Local\Temp\McAfeeLogs\vse8.8.0.core_install_060517_163652.log" -etl "C:\Users\asmith\AppData\Local\Temp\McAfeeLogs\vse8.8.0.core_install_060517_163652.etl" -x vse.xml OAS ELAM AAC DiskFilter firecore_driver EmailScan ScriptScan
!> Error - SysCore install failed: 255
<= leave custom action Install_SysCore()
CustomAction Install_SysCore returned actual error code 1603 (Note: This code might not be 100% accurate if translation happened inside sandbox.)
Action ended 16:37:58: InstallExecute. Return value 3.

VSE vse8.8.0.core_install_xxxxxx_xxxxxx.log:

parseCertificate: CertAddSerializedElementToStore failed 80070005

Or:

[16:36:53:578] - StartStopMFeServices: stopping
[16:36:53:578] - StartStopAllMMSServices: start=false
[16:36:53:594] - StartStopAllMMSServices: ERROR! MmsControlCreate failed with -2146869243
[16:36:53:594] - StartStopAllMMSServices: exit=0

Or:

[11:04:49:893] - ERROR! Signature check failed
[11:04:49:893] - ValidateDocument: return=0
[11:04:49:893] - ERROR! While validating document

[11:04:49:893] - StartHIP: policy disable 0 service stopped 0

[11:04:49:893] - Returning 4294967295

ENS McAfee_Common_VScore_Install_date_time.log:

AAC is not installed. Err=-2146869243
ERROR! Failed to create AAC Control. Err=-2146869243
StartStopAllMMSServices: ERROR! MmsControlCreate failed with -2146869243

ENS McAfee_MfeEpAac_date_time.log:

VerifyParentEntryPointIsMcAfeeSigned: VerifyProcess PID[2340] LastErr 0x80096005 The time stamp signature or certificate could not be verified or is malformed.
LastErr 0x80096005 The time stamp signature or certificate could not be verified or is malformed.

ENS McAfee_Common_Bootstrapper_date_time.log:

Running application to gain installer exclusion failed: 2148098053
Gain installer exclusion through mfeEpAAC MFEPROTECT failed
Trying to gain installer exclusion now by mfeEpAAC protected with MFEINSTALL
Extracting MfeEpAac.exe: C:\Windows\TEMP\MfeEpAac.exe
Extraction successful
This is a 64-bit system
"C:\Windows\TEMP\MfeEpAac.exe" -add -rootlocation "C:\Program Files\McAfee\Endpoint Security" -rootlocation "C:\Program Files (x86)\McAfee\Endpoint Security" -folder "C:\ProgramData\McAfee\Endpoint Security"
PROCESS return code: 3221225506
Running application to gain installer exclusion failed: 3221225506

NOTE: Error codes 0x80096005 and -2146869243 translate to: TRUST_E_TIME_STAMP - The time stamp signature or certificate could not be verified or is malformed. Failure to validate certificate information causes this error.

VSE 8.8 Patch fails to install; rollback mechanism also fails

A VSE 8.8 patch upgrade fails to install and the rollback mechanism also fails. This failure leaves a corrupt installation of VSE on the system. It also leaves the McAfee Validation Trust Protection Service in a stopped state, and the VSE OnAccessScanner service disabled.

Errors are recorded in the VSE installation logs (C:\Windows\Temp\McAfeeLogs):

VSE88_Patch_xxxxxx_xxxxxx.log:

>> Installing SysCore: "C:\Program Files (x86)\McAfee\VirusScan Enterprise\VSCore\x64\mfehidin.exe" -i VSE88P7 -q -mfetrust_killbit -l "C:\Windows\TEMP\McAfeeLogs\vse8.8.0.core_install_041416_090556.log" -etl "C:\Windows\TEMP\McAfeeLogs\vse8.8.0.core_install_041416_090556.etl" -x vse.xml OAS ELAM AAC DiskFilter firecore_driver EmailScan ScriptScan
!> Error - SysCore install failed: 255
<= leave custom action Install_SysCore_Patch()
CustomAction Install_SysCore_Patch returned actual error code 1603 (Note: This code might not be 100% accurate if translation happened inside sandbox.)
MSI (s) (DC:14) [09:06:35:968]: User policy value 'DisableRollback' is 0
MSI (s) (DC:14) [09:06:35:968]: Machine policy value 'DisableRollback' is 0

vse8.8.0.core_install_xxxxxx_xxxxxx.log:

[10:06:12:062] - GetAccessAndDeleteFile: FileDelete(C:\Program Files (x86)\Common Files\McAfee\SystemCore\mcvssnmp.dll) failed with error 5
[10:06:12:062] - GetAccessAndDeleteFile: FileDelete(C:\Program Files (x86)\Common Files\McAfee\SystemCore\mcvssnmp.dll.a5a7.deleteme) failed with error 2

[10:06:20:859] - Install error: un-winding install

[10:06:22:452] - ERROR! Failed to create AAC Control. Err=-2146762486

[10:06:22:500] - Returning 4294967295

VSE 8.8 Patch management extension upgrade fails (Failed to create AP config)

A VSE 8.8 patch management extension upgrade fails with the following message in the Orion.log file (..\Program Files(x86)\McAfee\ePolicy Orchestrator\Server\Conf\Orion):

BUILD FAILED
D:\PROGRA~1\McAfee\EPOLIC~1\server\extensions\installed\VIRUSCAN8800\8.8.0.448\install.xml:78: com.mcafee.orion.core.cmd.
CommandException: APPolicyMigrateCommand: Failed to create AP config

A certificate validation error causes this issue when it creates the APConfig object. The product could not validate the involved DLL certificates. So, it can't create the APConfig object to update the policy.

Categories and Rules fields contain no data in VSE Access Protection policies

The fields for Categories and Rules contain no data in VSE Access Protection policies after you upgrade the VSE 8.8 patch extensions.

Fields for Rules contain no data in the VSE Access Protection policies

The fields for Rules contain no data in the VSE Access Protection policies after you upgrade the VSE 8.8 Patch extensions.

Updates that use the nnnnxdat.exe (V2) or V3_nnnndat.exe (V3) package fail

Updates that use the nnnnxdat.exe (V2) or V3_nnnndat.exe (V3) package, fail if one or more of the root certificates is missing.

Warning: Certificate - not found in Root in core installation log

The following error is found in the core installation log:

Warning: Certificate <CERTIFICATE_NAME> - not found in Root

The product core installation log contains errors similar to the below examples:

NOTE: The certificate name might differ in the core installation log.

MACC mac_mpt.log

[09:14:16:612] - Total 1 Warning Value present
[09:14:16:612] - Code [0x60001100] : A required certificate couldn't be located in certificate store.
[09:14:16:612] - Total 1 Error Value present
[09:14:16:612] - Code [0x20005011] : Internal error has occurred during installation.
[09:14:16:612] - Warning: Certificate UTN-USERFirst-Object - not found in Root.
[09:14:16:628] - Warning: Certificate GlobalSign Root CA - R1 - not found in Root.
[09:14:16:628] - Exit code will be 4294967295

VSE VSEInst_<date_time>.log

[10:39:15:420] - Warning: Certificate UTN-USERFirst-Object - not found in Root.
[10:39:15:420] - RecordActionCode: Action Result 1 Category 1 Message 16 (Final 0x60001100).
[10:39:15:436] - Warning: Certificate GlobalSign Root CA - R1 - not found in Root.
[10:39:15:436] - LoadElamPplCerts: Ensure PPL certificates are loaded in the OS
[10:39:15:436] - StartStopMFeServices: stopping
[10:39:15:436] - StartStopAllMMSServicesExceptVTP: start=false
[10:39:15:436] - StartStopAllMMSServicesExceptVTP: ERROR! MmsControlCreate failed with -2146762486
[10:39:15:436] - StartStopAllMMSServicesExceptVTP: exit=0
[10:39:15:436] - ERROR: StartStopMfeServices: failed to stop services...
[10:39:15:436] - StartStopMFeServices: return=0
[10:39:15:436] - ERROR! while stopping services.

Cause

One or more of the following certificates are missing:

Root certificates:
- AAA Certificate Services
- AddTrust External CA Root
- GlobalSign
- GlobalSign Root CA
- Microsoft Code Verification Root
- USERTrust RSA Certification Authority
- UTN-USERFirst-Object
- Verisign Universal Root Certification Authority
- Verisign Class 3 Public Primary Certification Authority - G5

Or:

Intermediate Certification Authorities certificates:
- AddTrust External CA Root
- COMODO RSA Code Signing CA
- GlobalSign
- GlobalSign Root CA
- GlobalSign CodeSigning CA - G3
- GlobalSign CodeSigning CA - SHA256 - G3
- McAfee Code Signing CA 2
- McAfee OV SSL CA 2
- USERTrust RSA Certification Authority
- Verisign Class 3 Code Signing 2010 CA

The latest McAfee binaries have been signed with updated SHA-1 and SHA-256 certificates. These root certificates are needed to validate the digital signatures. Microsoft does not distribute these certificates.

The reasons for the missing root certificates include, but are not limited to:

The administrator removed the certificate from the system.
The system does not have internet connectivity, which is needed to perform a Root AutoUpdate (automatic root update).
The group policy in effect prevents the root certificate update:
- The registry value HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate is set to 1.
- The registry key HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots exist.

Solution

Use the following solutions to resolve the missing certificate issue:

NOTE: Click to expand the solution you want to view.

Import the certificates that are needed to validate the digital signatures

Import the certificates that are needed to validate the digital signatures. After you install the certificates, the product installs or upgrades successfully.

Install the missing root certificates in the physical Third-Party Trusted Root Certification Authorities store. (AAA Certificate Services, AddTrust External CA Root, GlobalSign, GlobalSign Root CA, Microsoft Code Verification Root, USERTrust RSA Certification Authority, UTN-USERFirst-Object, Verisign Class 3 Public Primary Certification Authority - G5, and Verisign Universal Root Certification Authority)
Install the missing Intermediate Certification Authorities certificates in the physical Intermediate Certification Authorities store. (AddTrust External CA Root, COMODO RSA Code Signing CA, GlobalSign, GlobalSign CodeSigning CA - G3, GlobalSign CodeSigning CA - SHA256 - G3, GlobalSign Root CA, McAfee Code Signing CA 2, McAfee OV SSL CA 2, USERTrust RSA Certification Authority (2028), and Verisign Class 3 Code Signing 2010 CA)

Option 1: Install the certificates using Active Directory group policy
McAfee recommends that you install the certificates using Active Directory group policy for wide deployment. For information about how to deploy registry changes using group policy, see the Microsoft article at: https://technet.microsoft.com/en-us/library/cc753092(v=ws.11).aspx.

Deploy the registry change for the Computer policy, not the User policy. For sample instructions, see: KB92948 - How to determine if a system has an updated root certificate and apply the certificate from Group Policy

Option 2: Install the certificates directly on the system
If you have a single system or only a few systems, you can use one of the following files (.bat file or .reg file) to install the certificates directly on the system. Or, you can install the certificates remotely using any appropriate administrative deployment method.

To install the certificates:

Download the file USERFirst_and_VeriSign_and_Comodo_and_GlobalSign_and_USERTrust.bat.txt in the Attachment section of this article. Rename the file to USERFirst_and_VeriSign_and_Comodo_and_GlobalSign_and_USERTrust.bat and run it.

Or:
Download the file USERFirst_and_VeriSign_and_Comodo_and_GlobalSign_and_USERTrust.reg.txt in the Attachment section of this article. Rename the file to USERFirst_and_VeriSign_and_Comodo_and_GlobalSign_and_USERTrust.reg and import it.

Address the issue that prevents the automatic update of root certificates on the system

Address the issue that prevents the automatic update of root certificates on the system.

Microsoft allows the administration of root certificate stores though several group policy objects and automatic updates. For more information, see https://technet.microsoft.com/en-us/library/cc749331(v=ws.10).aspx. The administration of certificate stores is not within the scope of Technical Support.

Use the following solution only if the group policy prevents the root certificate update:

CAUTION: This article contains information about opening or modifying the registry.

The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
Before proceeding, Technical Support strongly recommends that you back up your registry and understand the restore process. For more information, see: http://support.microsoft.com/kb/256986.
Do not run a REG file that is not confirmed to be a genuine registry import file.

Change the registry value for HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate from 1 to 0:

NOTE: If you are making this change using group policy for wide deployment, the Group Policy Object (GPO) for this setting is at: Computer Configuration, Administrative Templates, System, Internet Communication Management, Internet Communication settings, Turn off Automatic Root Certificates Update. Change Turn off Automatic Root Certificates Update from Enabled to Disabled.
1. Press Windows+R, type regedit, and click OK.
2. Navigate to HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate.
3. Change the value from 1 to 0.
4. Exit the registry editor.
If present, remove the registry key ProtectedRoots, which is at HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots:
1. Press Windows+R, type regedit, and click OK.
2. Navigate to HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root.
3. Right-click ProtectedRoots, click Export, and choose a location in which to save a backup copy.
4. Right-click ProtectedRoots, click Delete, and click Yes when prompted.
5. Exit the registry editor.

Related Information

For more information about Certutil, see: https://technet.microsoft.com/en-us/library/cc732443(v=ws.11).aspx.

NOTE: Content from KB88598 was consolidated into this article and has been unpublished.

Attachment

USERFirst_and_VeriSign_and_Comodo_and_GlobalSign_and_USERTrust.bat.txt
64K • < 1 minute @ broadband

Attachment

USERFirst_and_VeriSign_and_Comodo_and_GlobalSign_and_USERTrust.reg.txt
99K • < 1 minute @ broadband

Knowledge Center

Product install or upgrade issues due to missing root certificates

Environment

Problem

Cause

Solution

Related Information

Attachment

Attachment

Affected Products

Languages:

Glossary of Technical Terms

Title

Title

Knowledge Center

Product install or upgrade issues due to missing root certificates

Environment

Problem

Cause

Solution

Related Information

Attachment

Attachment

Affected Products

Languages:

Glossary of Technical Terms

Choose your region

Title

Title