Unable to install Endpoint Security on windows server

A_Abdellah · March 14, 2022, 7:01pm

Hello,
I'm trying to deploy fleet policy that installs endpoint security on windows server, but the agent keep being unhealthy because of endpoint security install failure.
try to execute .\endpoint-security.exe install --resources endpoint-security-resources.zip --log stdout --log-level trace to troubleshoot and got this

2022-03-14 16:45:50: info: Internal.cpp:371 Writing installation file C:\Program Files\Elastic\Endpoint\cache\resources\elastic-endpoint-security.png

2022-03-14 16:45:50: info: Internal.cpp:371 Writing installation file C:\Program Files\Elastic\Endpoint\LICENSE.txt

2022-03-14 16:45:50: info: Internal.cpp:371 Writing installation file C:\Program Files\Elastic\Endpoint\NOTICE.txt

2022-03-14 16:45:50: debug: Util.cpp:999 Creating service to start "C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe" run

2022-03-14 16:45:50: info: Util.cpp:484 Endpoint restart settings [ElasticEndpoint] count=15 delay=15 reset=600

2022-03-14 16:45:50: debug: Service.cpp:816 PPL is supported. This process is unprotected. (TrustLevelSid: absent)

2022-03-14 16:45:50: trace: RegistryLib.cpp:269 Function returned error status (Failed to get registry value size)

2022-03-14 16:45:50: trace: RegistryLib.cpp:566 Function returned error status (Failed to get registry value size)

2022-03-14 16:45:50: trace: RegistryLib.cpp:592 Function returned error status (Failed to get registry value size)

2022-03-14 16:45:50: trace: Util.cpp:882 Function returned error status (Failed to get registry value size)

2022-03-14 16:45:50: trace: Util.cpp:937 Function returned error status (Failed to get registry value size)

2022-03-14 16:45:50: trace: Util.cpp:1025 Function returned error status (Failed to get registry value size)

2022-03-14 16:45:50: trace: InstallLib.cpp:202 Function returned error status (Failed to get registry value size)

2022-03-14 16:45:50: debug: File.cpp:479 Removing [C:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml]

2022-03-14 16:45:50: debug: File.cpp:479 Removing [C:\Windows\System32\Drivers\elastic-endpoint-driver.sys]

2022-03-14 16:45:50: debug: File.cpp:479 Removing [C:\Windows\System32\Drivers\ElasticElam.sys]

2022-03-14 16:45:50: debug: File.cpp:479 Removing [C:\Program Files\Elastic\Endpoint\SecurityProductInformation.ini]

2022-03-14 16:45:50: debug: File.cpp:479 Removing [C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe]

2022-03-14 16:45:50: debug: File.cpp:479 Removing [C:\Program Files\Elastic\Endpoint\cache\artifacts\global-artifacts\endpointpe-v4-model]

2022-03-14 16:45:50: debug: File.cpp:479 Removing [C:\Program Files\Elastic\Endpoint\cache\artifacts\global-artifacts\endpointpe-v4-exceptionlist]

2022-03-14 16:45:50: debug: File.cpp:479 Removing [C:\Program Files\Elastic\Endpoint\cache\artifacts\global-artifacts\endpointpe-v4-blocklist]

2022-03-14 16:45:50: deb

Any path to follow ??
Thank you

A_Abdellah · March 23, 2022, 12:53pm

Hello Agian,
This is the error I find in my elastic agent logs

{"log.level":"error","@timestamp":"2022-03-23T10:51:17.854Z","log.origin":
{"file.name":"fleet/fleet_gateway.go","file.line":180},"message":"failed to dispatch actions, error: 
operator: failed to execute step sc-run, error: open C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-4bcd95\\install\\endpoint-security-7.16.0-windows-x86_64\\endpoint-security.exe: Access refused.:
open C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-4bcd95\\install\\endpoint-security-7.16.0-windows-x86_64\\endpoint-security.exe: Access refused.","ecs.version":"1.6.0"}

A_Abdellah · March 23, 2022, 12:55pm

The logs from fleet Agent logs on kibana

[elastic_agent][error] failed to dispatch actions,
 error: operator: failed to execute step sc-run,
 error: rename C:\Program Files\Elastic\Agent\data\elastic-agent-4bcd95\install\endpoint-security-7.16.0-windows-x86_64 C:\Program Files\Elastic\Agent\data\elastic-agent-4bcd95\install\tmp2799632472\endpoint-security-7.16.0-windows-x86_64: Access is denied.:
rename C:\Program Files\Elastic\Agent\data\elastic-agent-4bcd95\install\endpoint-security-7.16.0-windows-x86_64 C:\Program Files\Elastic\Agent\data\elastic-agent-4bcd95\install\tmp2799632472\endpoint-security-7.16.0-windows-x86_64: Access is denied.

0xFFFFFF · March 23, 2022, 2:05pm

I faced the same issue

A_Abdellah · March 27, 2022, 9:38pm

Hi,
After troubleshooting using process monitor I was able to resolve this issue by defining a registry key value, it's EarlyLaunch//BackupPath as you may see in the picture uploaded below

How can you classify this issue, is it a bug in ElasticEndpoint Security, or it's me missing something ??

Thank you very much.

system · April 24, 2022, 11:39pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.