Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Update from Traps to Cortex

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Update from Traps to Cortex

L1 Bithead

Hello everyone,

I'm trying to update the Traps agent 5.0.11 to Cortex 7.4.0 on Windows Server 2008/2008R2.

When I'm installing the new version, in the moment to start the services, the installation go in rollback.

I've tried to install directly the new version.

Unistall Traps,  clean with XDR agent cleaner and install the new version, same problem.

I'm able to install only Traps 5.0.11, with protection disabled, but connected to console.

Have you got some suggestions?

6 REPLIES 6

L3 Networker

Dear PierazzoD

 

Windows 2008 or Windows 2008R2 is not supported by Cortex XDR 7.4 agent. You need to have at least Windows 2008R2 SP1 for XDR Agent 7.4.

 

https://docs.paloaltonetworks.com/compatibility-matrix/cortex-xdr/where-can-i-install-the-cortex-xdr...

 

You can verify compatibility from above link. If you are trying to install Windows 2008R2 SP1, Could you try to install with below command. Msiexec will create install.txt file in C drive and please check that file content for failing reason.

 

msiexec /i Emre_pkg_x64.msi /l*v c:\install.txt

The OS is Windows Server 2008R2 SP1

I've tried also with that command and it failed.

In the zip there is the log file of the installation, it fails to start dependance services.

L3 Networker

Dear PierazzoD

msiexec is throwing 1603. This is generally related with account permissions that you are trying to install but might be other reasons which described in below article. Also you can check service status from windows event logs. You may have more detailed information. 

 

ExecServiceStartCA: Error 0x80070241: StartServiceW failed
ExecServiceStartCA: Error 0x800705b4: Service failed transition to 4 state (current state 1)
ExecServiceStartCA: Error 0x800705b4: StartServiceWait failed
ExecServiceStartCA: Error 0x800705b4: ServiceStartInternal failed
CustomAction ExecServiceStartCA returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 10:11:21: InstallFinalize. Return value 3.

 

MSI (c) (A8:84) [10:11:37:757]: Windows Installer installed the product. Product Name: Cortex XDR 7.6.0.43778. Product Version: 7.6.0.43778. Product Language: 1033. Manufacturer: Palo Alto Networks, Inc.. Installation success or error status: 1603.

 

https://docs.microsoft.com/en-us/troubleshoot/windows-server/application-management/msi-installation...

 

 

L3 Networker

honestly if your up to date on patches for 2008r2 sp1 and are still getting that error I would run the cleaner reboot and then install that version.

I've controlled the permission of the user and seems to me that it has the right privilege.

these are the log i got from event viewer of Windows

log1:

Log Name: System
Source: Service Control Manager
Date: 27.01.2022 12:33:35
Event ID: 7000
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: MyServer.Domain
Description:
The cyvrmtgn service failed to start due to the following error:
Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
<EventID Qualifiers="49152">7000</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2022-01-27T11:33:35.055852400Z" />
<EventRecordID>1005547</EventRecordID>
<Correlation />
<Execution ProcessID="1056" ThreadID="3788" />
<Channel>System</Channel>
<Computer>ITSPDB01.intranet.salewa.com</Computer>
<Security />
</System>
<EventData>
<Data Name="param1">cyvrmtgn</Data>
<Data Name="param2">%%577</Data>
</EventData>
</Event>

 

Log2:

Log Name: Application
Source: MsiInstaller
Date: 27.01.2022 10:11:37
Event ID: 1033
Task Category: None
Level: Information
Keywords: Classic
User: DomainAdmin
Computer: MyServer.Domain
Description:
Windows Installer installed the product. Product Name: Cortex XDR 7.6.0.43778. Product Version: 7.6.0.43778. Product Language: 1033. Manufacturer: Palo Alto Networks, Inc.. Installation success or error status: 1603.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MsiInstaller" />
<EventID Qualifiers="0">1033</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2022-01-27T09:11:37.000000000Z" />
<EventRecordID>17677055</EventRecordID>
<Channel>Application</Channel>
<Computer>ITSPDB01.intranet.salewa.com</Computer>
<Security UserID="S-1-5-21-861567501-484061587-725345543-500" />
</System>
<EventData>
<Data>Cortex XDR 7.6.0.43778</Data>
<Data>7.6.0.43778</Data>
<Data>1033</Data>
<Data>1603</Data>
<Data>Palo Alto Networks, Inc.</Data>
<Data>(NULL)</Data>
<Data>
</Data>
<Binary>7B46364144333634302D434530432D344539312D413446392D4343313836433530464335337D3030303033656464653732656261356330373032353264656631623930346337623261643030303030393034</Binary>
</EventData>
</Event>

I've tried also with localadmin of server, but i've always the error at the moment to start new services (cyvera).

L3 Networker

Dear PierazzoD

 

"Windows cannot verify the digital signature for this file. " log is clear indication of the problem. You can clean XDR with cleaning tool. For the getting this tool, You need to open a ticket via support portal and then you can try again to install. 

 

Alternative solution, Required certificates are installing to certificate store when you install XDR. so You may try to DDISABLE_INTEGRITY_CHECKS with bcdedit. Try to upgrade and restore to old configs (enable integrity check). Btw, I've never tried this before and thats why I'm gonna recommend open a support request again. 

  • 6917 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!