cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Azure ATP sensor install failing

ppgd2019
Copper Contributor

‎Sep 26 2019 09:23 AM

‎Sep 26 2019 09:23 AM

Azure ATP sensor install failing

I've installed the sensor on 4 DCs, but this fifth one is failing (same domain etc.)

 

During the installation the entry appears briefly in the ATP portal, but it seems the updater service is failing to start and the installation is rolled back. 

 

The DC is running Windows Server 2008 R2 SP1 which is supported.

 

I looked at the logs produced but can't figure out what is causing this. ANy idea how to resolve this?

 

Microsoft.Tri.Sensor.Updater-Errors.log

2019-09-26 16:01:27.9930 Error PerformanceCounterLib System.InvalidOperationException: Category does not exist.
   at CategorySample System.Diagnostics.PerformanceCounterLib.GetCategorySample(string machine, string category)
   at string[] System.Diagnostics.PerformanceCounterCategory.GetCounterInstances(string categoryName, string machineName)
   at new Microsoft.Tri.Infrastructure.MetricManager(IConfigurationManager configurationManager)
   at object lambda_method(Closure, object[])
   at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()
   at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes)
   at ModuleManager Microsoft.Tri.Sensor.Updater.SensorUpdaterService.CreateModuleManager()
   at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
   at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
   at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)

 

Microsoft.Tri.Sensor.Deployment.Deployer_20190926160120.log

2019-09-26 16:02:25.7817 Error ServiceControllerExtension Failed to change service status [name=AATPSensorUpdater status=Running Exception=System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed.
   at System.ServiceProcess.ServiceController.WaitForStatus(ServiceControllerStatus desiredStatus, TimeSpan timeout)
   at Microsoft.Tri.Infrastructure.ServiceControllerExtension.ChangeServiceStatus(String name, ServiceControllerStatus status, TimeSpan timeout, Nullable`1 awaitedStatus)]
2019-09-26 16:03:26.8468 Error ServiceControllerExtension Failed to change service status [name=AATPSensorUpdater status=Running Exception=System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed.
   at System.ServiceProcess.ServiceController.WaitForStatus(ServiceControllerStatus desiredStatus, TimeSpan timeout)
   at Microsoft.Tri.Infrastructure.ServiceControllerExtension.ChangeServiceStatus(String name, ServiceControllerStatus status, TimeSpan timeout, Nullable`1 awaitedStatus)]
2019-09-26 16:04:28.0100 Error ServiceControllerExtension Failed to change service status [name=AATPSensorUpdater status=Running Exception=System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed.
   at System.ServiceProcess.ServiceController.WaitForStatus(ServiceControllerStatus desiredStatus, TimeSpan timeout)
   at Microsoft.Tri.Infrastructure.ServiceControllerExtension.ChangeServiceStatus(String name, ServiceControllerStatus status, TimeSpan timeout, Nullable`1 awaitedStatus)]
2019-09-26 16:05:29.3451 Error ServiceControllerExtension Failed to change service status [name=AATPSensorUpdater status=Running Exception=System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed.
   at System.ServiceProcess.ServiceController.WaitForStatus(ServiceControllerStatus desiredStatus, TimeSpan timeout)
   at Microsoft.Tri.Infrastructure.ServiceControllerExtension.ChangeServiceStatus(String name, ServiceControllerStatus status, TimeSpan timeout, Nullable`1 awaitedStatus)]
2019-09-26 16:06:30.4882 Error ServiceControllerExtension Failed to change service status [name=AATPSensorUpdater status=Running Exception=System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed.
   at System.ServiceProcess.ServiceController.WaitForStatus(ServiceControllerStatus desiredStatus, TimeSpan timeout)
   at Microsoft.Tri.Infrastructure.ServiceControllerExtension.ChangeServiceStatus(String name, ServiceControllerStatus status, TimeSpan timeout, Nullable`1 awaitedStatus)]

2019-09-26 16:06:32.6254 Error ServiceControllerExtension Failed to change service status [name=AATPSensorUpdater status=Stopped Exception=System.InvalidOperationException: Cannot stop AATPSensorUpdater service on computer '.'. ---> System.ComponentModel.Win32Exception: The service has not been started
   --- End of inner exception stack trace ---
   at System.ServiceProcess.ServiceController.Stop()

2019-09-26 16:06:32.9975 Error DeploymentAction Deployer failed
Microsoft.Tri.Infrastructure.ExtendedException: Apply failed [Type=StartServiceAction]
   at void Microsoft.Tri.Sensor.Common.DeploymentAction.Apply(bool suppressFailure)
   at void Microsoft.Tri.Sensor.Common.DeploymentActionGroup.Apply(bool suppressFailure)
   at int Microsoft.Tri.Sensor.Deployment.Deployer.Program.Main(string[] commandLineArguments)

 

Azure Advanced Threat Protection Sensor_20190926170047_000_MsiPackage.log

MSI (s) (0C:54) [17:01:08:912]: Note: 1: 2205 2:  3: Error

2019-09-26 16:06:33.2935 Error DeploymentAction Microsoft.Tri.Infrastructure.ExtendedException: Apply failed [Type=RunDeployerMajorDeploymentAction]
   at Microsoft.Tri.Sensor.Common.DeploymentAction.Apply(Boolean suppressFailure)
   at Microsoft.Tri.Sensor.Common.DeploymentActionGroup.Apply(Boolean suppressFailure)
   at Microsoft.Tri.Sensor.Deployment.Package.Actions.CustomActions.RunActionGroup(DeploymentActionGroup deploymentActionGroup, Session session)

2019-09-26 16:06:33.2965 Debug CustomActions InstallActionGroup finished [result=Failure]
CustomAction InstallCustomAction returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)

13.1K Views
0 Likes
8 Replies
Reply
8 Replies
Eli Ofek

‎Sep 26 2019 02:47 PM

‎Sep 26 2019 02:47 PM

Re: Azure ATP sensor install failing

@ppgd2019 

The "Network Interface" performance counter category is missing on this machine.

Use perfmon.exe to verify.  you need to fix it so this category is working (a counters rebuild might be required if it wasn't disabled in the registry).

Once it it fixed, the deployment should work...

 

Eli

0 Likes
Reply
cheapscotsman1320

‎Feb 05 2020 11:03 AM

‎Feb 05 2020 11:03 AM

Re: Azure ATP sensor install failing

@Eli Ofek 

I had the issue the installation would not work on a windows 2019 with teaming and installing the npcap filter first. Had to uninstall the npcap filter, install the ATP sensor and it work but the ATP site would complain about the teaming. Uninstall the ATP sensor, install the npcap filter, then the sensor again.

0 Likes
Reply
Eli Ofek

‎Feb 05 2020 11:06 AM

‎Feb 05 2020 11:06 AM

Re: Azure ATP sensor install failing

Is the issue now resolved?

0 Likes
Reply
Martin Przybysz

‎Apr 08 2020 05:01 PM

‎Apr 08 2020 05:01 PM

Re: Azure ATP sensor install failing

@Eli Ofek 

Hay Eli I got the same issue with Win2019 DC which has npcap installed.

I could install it first time but it was not working so I read about npcap. 

So what I did was:

 

1. Install npcap (Still not working)

2. Unistall ATP Sensor

3. Unistall npcap

4. Install npcap + ATP Sensor (ERROR 1603)

 

Now it does not matter if npcap is installed or not I cannot install anymore ATP Sensor... Restart, Recreation of perfs with: 

Lodctr.exe /R 

C:\Windows\SysWOW64\wbem\winmgmt.exe /RESYNCPERF

C:\Windows\System32\wbem\winmgmt.exe /RESYNCPERF

 

Did not help either.

 

My log:

2020-04-08 23:51:45.6333 Warn InstallActionGroup Revert reverting [rollbackAction=CreateDirectoryDeploymentAction index=2 count=3]
2020-04-08 23:51:45.6333 Debug CreateDirectoryDeploymentAction Revert started
2020-04-08 23:51:45.6333 Debug CreateDirectoryDeploymentAction Revert finished
2020-04-08 23:51:45.6333 Debug InstallActionGroup Revert finished
2020-04-08 23:51:45.6483 Error DeploymentAction Microsoft.Tri.Infrastructure.ExtendedException: Apply failed [Type=RunDeployerMajorDeploymentAction]
at Microsoft.Tri.Sensor.Common.DeploymentAction.Apply(Boolean suppressFailure)
at Microsoft.Tri.Sensor.Common.DeploymentActionGroup.Apply(Boolean suppressFailure)
at Microsoft.Tri.Sensor.Deployment.Package.Actions.CustomActions.RunActionGroup(DeploymentActionGroup deploymentActionGroup, Session session)
2020-04-08 23:51:45.6533 Debug CustomActions RunActionGroup InstallActionGroup finished [result=Failure]
CustomAction InstallCustomAction returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
MSI (s) (D8:58) [01:51:47:183]: Note: 1: 2265 2: 3: -2147287035
MSI (s) (D8:58) [01:51:47:183]: Machine policy value 'DisableRollback' is 0
MSI (s) (D8:58) [01:51:47:183]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
Action ended 01:51:47: InstallCustomAction. Return value 3.
MSI (s) (D8:58) [01:51:47:183]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (D8:58) [01:51:47:183]: No System Restore sequence number for this installation.
MSI (s) (D8:58) [01:51:47:183]: Unlocking Server
Action ended 01:51:47: INSTALL. Return value 3.

 

0 Likes
Reply
Martin Przybysz

‎Apr 09 2020 03:14 AM

‎Apr 09 2020 03:14 AM

Re: Azure ATP sensor install failing

@Eli Ofek 

In Addition if I run the install I see following error:

Event Viewer->System->Error 7000:

The NetGroup Packet Filter Driver service failed to start due to the following error:
The system cannot find the file specified.

 

Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
  <EventID Qualifiers="49152">7000</EventID>
  <Version>0</Version>
  <Level>2</Level>
  <Task>0</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8080000000000000</Keywords>
  <TimeCreated SystemTime="2020-04-09T10:10:15.328188100Z" />
  <EventRecordID>815478</EventRecordID>
  <Correlation />
  <Execution ProcessID="608" ThreadID="3748" />
  <Channel>System</Channel>
  <Computer>*******</Computer>
  <Security />
  </System>
- <EventData>
  <Data Name="param1">NetGroup Packet Filter Driver</Data>
  <Data Name="param2">%%2</Data>
  <Binary>6E00700066000000</Binary>
  </EventData>
  </Event>
0 Likes
Reply
Martin Przybysz

‎Apr 09 2020 03:16 AM - edited ‎Apr 09 2020 03:20 AM

‎Apr 09 2020 03:16 AM - edited ‎Apr 09 2020 03:20 AM

Re: Azure ATP sensor install failing

Alright it turns out that the issue was with the npcap 0.9990 it was not possible with the tool to work. I unistalled and installed the old WINPcap 4.1.3 (4.1.0.2980). Afterwards the Sensor was able to install.

 

@Eli Ofek 

 

Actions I did previously:

 

-Repair Windows update as I got same error like in installer

-Repair .NET

-Install .NET 4.8

-Unistall and Install npcap several times

-run updates

0 Likes
Reply
Eli Ofek

‎Apr 09 2020 01:38 PM

‎Apr 09 2020 01:38 PM

Re: Azure ATP sensor install failing

We currently only support npcap <=0.9984.
We can support newer versions with a workaround if needed, but the deployment won't work OOTB with the newer ones just yet.

A fix for that is ready but is not released as the service is under freeze during this period.

1 Like
Reply
PiotrWegiel

‎Jan 16 2024 11:28 AM

‎Jan 16 2024 11:28 AM

Re: Azure ATP sensor install failing

In my case adding .net registry keys, silent install and restart helped with the issue.

0 Likes
Reply