Loading...

Knowledge Center

McAfee product installation or upgrade fails, or fields do not populate, because of missing root certificates
Technical Articles ID:   KB87096
Last Modified:  1/23/2019
Rated:

Environment

McAfee Active Response (MAR) 1.x
McAfee Agent (MA) 5.x
McAfee Data Exchange Layer (DXL) 2.x
McAfee Data Loss Prevention Endpoint (DLP Endpoint) 9.x
McAfee Endpoint Intelligence Agent (EIA) 2.x
McAfee Endpoint Security (ENS) Firewall 10.x
McAfee ENS Platform (Common) 10.x
McAfee ENS Threat Prevention 10.x
McAfee ENS Web Control 10.x
McAfee Host Intrusion Prevention (Host IPS) 8.0
McAfee Threat Intelligence Exchange Module (TIEm) for VirusScan Enterprise 1.x
McAfee VirusScan Enterprise (VSE) 8.8 Patch 7 and later

Problem

An installation or upgrade fails for any of the products listed in the Environment field of this article.

The failure can occur when installing or upgrading the basic ENS platform, which can also impact the installation or upgrade of any ENS platform modules.

The following errors are logged:
 
VirusScan Enterprise VSEInst_xxxxxx_xxxxxx.log:
 
!> Error - SysCore install failed: 255
<= leave custom action Install_SysCore()
CustomAction Install_SysCore returned actual error code 1603 (note this might not be 100% accurate if translation happened inside sandbox)
Fin de la acción 12:28:11: InstallExecute. Return value 3.
MSI (s) (98:70) [12:28:11:908]: Note: 1: 2265 2:  3: -2147287035

Or:
 
>> Installing SysCore: "C:\Program Files (x86)\McAfee\VirusScan Enterprise\VSCore\x64\mfehidin.exe" -i VSE88P9 -q -mfetrust_killbit –oastrust_off -l "C:\Users\asmith\AppData\Local\Temp\McAfeeLogs\vse8.8.0.core_install_060517_163652.log" -etl "C:\Users\asmith\AppData\Local\Temp\McAfeeLogs\vse8.8.0.core_install_060517_163652.etl" -x vse.xml OAS ELAM AAC DiskFilter firecore_driver EmailScan ScriptScan
!> Error - SysCore install failed: 255
<= leave custom action Install_SysCore()
CustomAction Install_SysCore returned actual error code 1603 (note this might not be 100% accurate if translation happened inside sandbox)
Action ended 16:37:58: InstallExecute. Return value 3.
 
VirusScan Enterprise vse8.8.0.core_install_xxxxxx_xxxxxx.log:
 
parseCertificate: CertAddSerializedElementToStore failed 80070005

Or:
 
[16:36:53:578] - StartStopMFeServices: stopping
[16:36:53:578] - StartStopAllMMSServices: start=false
[16:36:53:594] - StartStopAllMMSServices: ERROR! MmsControlCreate failed with -2146869243
[16:36:53:594] - StartStopAllMMSServices: exit=0

Or:
 
[11:04:49:893] - ERROR! Signature check failed
[11:04:49:893] - ValidateDocument: return=0
[11:04:49:893] - ERROR! While validating document
[11:04:49:893] - StartHIP: policy disable 0 service stopped 0
[11:04:49:893] - Returning 4294967295
 
(ENS) McAfee_Common_VScore_Install_date/time.log:
 
AAC is not installed. Err=-2146869243
ERROR! Failed to create AAC Control. Err=-2146869243
StartStopAllMMSServices: ERROR! MmsControlCreate failed with -2146869243
 
(ENS) McAfee_MfeEpAac_date/time.log:
 
VerifyParentEntryPointIsMcAfeeSigned: VerifyProcess PID[2340] LastErr 0x80096005 The time stamp signature or certificate could not be verified or is malformed.
LastErr 0x80096005 The time stamp signature or certificate could not be verified or is malformed.
 
(ENS) McAfee_Common_Bootstrapper_date/time.log:
 
Running application to gain installer exclusion failed : 2148098053
Gain installer exclusion through mfeEpAAC MFEPROTECT failed
Trying to gain installer exclusion now by mfeEpAAC protected with MFEINSTALL
Extracting MfeEpAac.exe : C:\Windows\TEMP\MfeEpAac.exe
Extraction successful
This is a 64-bit system
"C:\Windows\TEMP\MfeEpAac.exe" -add -rootlocation "C:\Program Files\McAfee\Endpoint Security" -rootlocation "C:\Program Files (x86)\McAfee\Endpoint Security" -folder "C:\ProgramData\McAfee\Endpoint Security"
PROCESS return code : 3221225506
Running application to gain installer exclusion failed : 3221225506
 
NOTE: Error codes 0x80096005 and -2146869243 translate to: TRUST_E_TIME_STAMP - The time stamp signature or certificate could not be verified or is malformed. This is caused by the failure to validate certificate information.

Problem

The VSE 8.8 Patch 7 upgrade fails to install and the rollback mechanism also fails. This leaves a corrupt installation of VSE on the system with the McAfee Validation Trust Protection Service in a stopped state and the VSE OnAccessScanner service disabled.

The VSE installation logs located in C:\Windows\Temp\McAfeeLogs contain text similar to the following:

VSE88_Patch7_xxxxxx_xxxxxx.log:
 
>> Installing SysCore: "C:\Program Files (x86)\McAfee\VirusScan Enterprise\VSCore\x64\mfehidin.exe" -i VSE88P7 -q -mfetrust_killbit -l "C:\Windows\TEMP\McAfeeLogs\vse8.8.0.core_install_041416_090556.log" -etl "C:\Windows\TEMP\McAfeeLogs\vse8.8.0.core_install_041416_090556.etl" -x vse.xml OAS ELAM AAC DiskFilter firecore_driver EmailScan ScriptScan
!> Error - SysCore install failed: 255
<= leave custom action  Install_SysCore_Patch()
CustomAction Install_SysCore_Patch returned actual error code 1603 (note that this might not be 100% accurate if translation happened inside sandbox)
MSI (s) (DC:14) [09:06:35:968]: User policy value 'DisableRollback' is 0
MSI (s) (DC:14) [09:06:35:968]: Machine policy value 'DisableRollback' is 0
 
vse8.8.0.core_install_xxxxxx_xxxxxx.log:
 
[10:06:12:062] - GetAccessAndDeleteFile: FileDelete(C:\Program Files (x86)\Common Files\McAfee\SystemCore\mcvssnmp.dll) failed with error 5
[10:06:12:062] - GetAccessAndDeleteFile: FileDelete(C:\Program Files (x86)\Common Files\McAfee\SystemCore\mcvssnmp.dll.a5a7.deleteme) failed with error 2

[10:06:20:859] - Install error: un-winding install

[10:06:22:452] - ERROR! Failed to create AAC Control. Err=-2146762486

[10:06:22:500] - Returning 4294967295

Problem

The VSE 8.8 Patch 7 and later management extension upgrade fails with the following message in the Orion.log (\Program Files(x86)\McAfee\ePolicy Orchestrator\Server\Conf\Orion):
 
BUILD FAILED
D:\PROGRA~1\McAfee\EPOLIC~1\server\extensions\installed\VIRUSCAN8800\8.8.0.448\install.xml:78: com.mcafee.orion.core.cmd.
CommandException: APPolicyMigrateCommand : Failed to create AP config
 
This issue is caused by a certificate validation error when creating the APConfig object. The product was not able to validate the involved DLL certificates, so it cannot create the APConfig object to update the policy.

Problem

The fields for Categories and Rules contain no data in VSE Access Protection policies after upgrading to the VSE 8.8 Patch 7 extensions (Management Extension 8.8.0.448).

Problem

The fields for Rules contain no data in the VSE Access Protection policies after upgrading to the VSE 8.8 Patch 9 extensions (Management Extension 8.8.0.548).

Cause

One or more of the following certificates is missing:
  • Root certificates
    • UTN-USERFirst-Object
    • Verisign Universal Root Certification Authority
    • Verisign Class 3 Public Primary Certification Authority - G5
Or:
  • Intermediate Certification Authorities or Certificates is missing:
    • COMODO RSA Code Signing CA
    • Verisign Class 3 Code Signing 2010 CA
The latest McAfee binaries have been signed with updated SHA-1 and SHA-256 certificates. These root certificates are required to validate the digital signatures. These certificates are distributed by Microsoft.

The reasons for the missing root certificates include, but are not limited to:
  • The certificate was removed from the system by an administrator.
  • The system does not have Internet connectivity, which is needed to perform a Root AutoUpdate (automatic root update).
  • The group policy in effect prevents the root certificate update:
    • The registry value HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate is set to 1.
    • The registry key HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots exist.

Solution

Import the required root certificates needed to validate the digital signatures.
 
Install the missing UTN-USERFirst-Object, Verisign Universal Root Certification Authority, and Verisign Class 3 Public Primary Certification Authority - G5 certificates in the physical Third-Party Trusted Root Certification Authorities store.

Install the missing COMODO RSA Code Signing CA and Verisign Class 3 Code Signing 2010 CA certificates in the physical Intermediate Certification Authorities store.

After installing the certificates, the product installs or upgrades successfully.

McAfee recommends that you install the certificates using Active Directory group policy for wide deployment. For information about how to deploy registry changes using group policy, see the Microsoft article at: https://technet.microsoft.com/en-us/library/cc753092(v=ws.11).aspx.

Deploy the registry change for the Computer policy, not the User policy. Instead of using a Certificate group policy object, which puts the certificate in the wrong certificate store, use a Registry group policy to make the change directly to endpoint registries, which puts the certificate in the correct store.

Or, use one of the following methods to install the certificate directly on the system, or remotely using any appropriate administrative deployment method:
  • To install the Verisign Class 3 Public Primary Certification Authority - G5, UTN-USERFirst-Object, Verisign Universal Root Certification AuthorityCOMODO RSA Code Signing CA, and Verisign Class 3 Code Signing 2010 CA certificates:
     
    • Download the file USERFirst_and_VeriSign_and_Comodo.bat.txt in the Attachment section of this article. Rename the file to USERFirst_and_VeriSign.bat and run it.
       
    • Download the file USERFirst_and_VeriSign_and_Comodo.reg.txt in the Attachment section of this article. Rename the file to USERFirst_and_VeriSign.reg file and import it.

Or, if you have a single system or only a few systems, to install only the Verisign Class 3 Public Primary Certification Authority - G5 certificate to remediate manually:
  1. Contact Verisign customer support to obtain the missing certificate:
    https://www.verisign.com/en_US/support-services/index.xhtml

  2. Copy the contents of the certificate shown in the box (including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines).
  3. Paste the copied contents into a plain text editor such as Notepad.
  4. Save the file with a .cer extension (for example, C:\Temp\VeriSign.cer).
  5. Open an elevated Command Prompt (right-click Command Prompt and select Run as administrator).
  6. Run the following command:

    certutil -addstore root C:\Temp\VeriSign.cer

Solution

Address the issue preventing the automatic update of root certificates on the system.

Microsoft allows the administration of root certificate stores though various group policy objects and automatic updates. For more information, see https://technet.microsoft.com/en-us/library/cc749331(v=ws.10).aspx. The administration of certificate stores is not within the scope of Technical Support.

Use the following solution only if the group policy in effect is preventing the root certificate update:

CAUTION: This article contains information about opening or modifying the registry.
  • The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
  • Before proceeding, Technical Support strongly recommends that you back up your registry and understand the restore process. For more information, see: http://support.microsoft.com/kb/256986.
  • Do not run a REG file that is not confirmed to be a genuine registry import file.
  1. Change the registry value for HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate from 1 to 0:

    NOTE: If you are making this change using group policy for wide deployment, the Group Policy Object (GPO) for this setting is located at: Computer Configuration, Administrative Templates, System, Internet Communication Management, Internet Communication settings, Turn off Automatic Root Certificates Update.
    Change Turn off Automatic Root Certificates Update from Enabled to Disabled.
     
    1. Press Windows+R, type regedit, and click OK.
    2. Navigate to HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate.
    3. Change the value from 1 to 0.
    4. Exit the registry editor.
     
  2. If present, remove the registry key ProtectedRoots, which are located at HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots:
    1. Press Windows+R, type regedit, and click OK.
    2. Navigate to HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root.
    3. Right-click ProtectedRoots, select Export, and choose a location in which to save a backup copy.
    4. Right-click ProtectedRoots, select Delete, and click Yes when prompted.
    5. Exit the registry editor.

Related Information

For more information about Certutil, see: https://technet.microsoft.com/en-us/library/cc732443(v=ws.11).aspx.

NOTE: Content from KB88598 was consolidated into this article and has since been unpublished.

Attachment

USERFirst_and_VeriSign_and_Comodo.bat.txt
16K • < 1 minute @ broadband


Attachment

USERFirst_and_VeriSign_and_Comodo.reg.txt
52K • < 1 minute @ broadband


Rate this document

Languages:

This article is available in the following languages:

English United States
Japanese

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.