Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Unable to install azure ATP sensor on DCs. Could not load file or assembly 'Ben.Demystifier, V

Copper Contributor

[08A4:25DC][2020-02-15T14:32:46]i001: Burn v3.11.0.1701, Windows v10.0 (Build 14393: Service Pack 0), path: C:\Users\AAWESH~2\AppData\Local\Temp\{4DF4837A-FAC5-45E1-8CF7-65C865EC14F1}\.cr\Azure ATP Sensor Setup.exe
[08A4:25DC][2020-02-15T14:32:46]i000: Initializing hidden variable 'AccessKey'
[08A4:25DC][2020-02-15T14:32:46]i000: Initializing hidden variable 'ProxyConfiguration'
[08A4:25DC][2020-02-15T14:32:46]i000: Initializing hidden variable 'ProxyUserPassword'
[08A4:25DC][2020-02-15T14:32:46]i000: Initializing string variable 'NetFrameworkCommandLineArguments' to value '/passive /showrmui'
[08A4:25DC][2020-02-15T14:32:46]i009: Command Line: '"-burn.clean.room=C:\Windows\ccmcache\10\Azure ATP Sensor Setup.exe" -burn.filehandle.attached=544 -burn.filehandle.self=632'
[08A4:25DC][2020-02-15T14:32:46]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\Windows\ccmcache\10\Azure ATP Sensor Setup.exe'
[08A4:25DC][2020-02-15T14:32:46]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'C:\Windows\ccmcache\10\'
[08A4:25DC][2020-02-15T14:32:46]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\AAWESH~2\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20200215143246.log'
[08A4:25DC][2020-02-15T14:32:46]i000: Setting string variable 'WixBundleName' to value 'Azure Advanced Threat Protection Sensor'
[08A4:25DC][2020-02-15T14:32:46]i000: Setting string variable 'WixBundleManufacturer' to value 'Microsoft Corporation'
[08A4:25DC][2020-02-15T14:32:47]i000: Loading managed bootstrapper application.
[08A4:25DC][2020-02-15T14:32:47]i000: Creating BA thread to run asynchronously.
[08A4:25DC][2020-02-15T14:32:47]i100: Detect begin, 5 packages
[08A4:25DC][2020-02-15T14:32:47]i000: 2020-02-15 09:02:47.4352 Debug DeploymentModel DetectDeploymentAction DetectBegin [\[]Installed=False[\]]
[08A4:25DC][2020-02-15T14:32:47]i000: Registry key not found. Key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB4019990~31bf3856ad364e35~amd64~~6.1.1.2'
[08A4:25DC][2020-02-15T14:32:47]i000: Setting numeric variable 'Kb4019990Windows2008R2Exists' to value 0
[08A4:25DC][2020-02-15T14:32:47]i000: Registry key not found. Key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB4019990~31bf3856ad364e35~amd64~~6.2.1.1'
[08A4:25DC][2020-02-15T14:32:47]i000: Setting numeric variable 'Kb4019990Windows2012Exists' to value 0
[08A4:25DC][2020-02-15T14:32:47]i000: Setting string variable 'NetFrameworkRegistryValue' to value '528049'
[08A4:25DC][2020-02-15T14:32:47]i000: Setting string variable 'ServerLevelsServerCoreRegistryValue' to value '1'
[08A4:25DC][2020-02-15T14:32:47]i000: Setting string variable 'ServerLevelsServerGuiShellRegistryValue' to value '1'
[08A4:25DC][2020-02-15T14:32:47]i052: Condition 'Kb4019990Windows2008R2Exists' evaluates to false.
[08A4:25DC][2020-02-15T14:32:47]i052: Condition 'Kb4019990Windows2012Exists' evaluates to false.
[08A4:25DC][2020-02-15T14:32:47]i052: Condition 'NetFrameworkRegistryValue >= 460798' evaluates to true.
[08A4:25DC][2020-02-15T14:32:47]i052: Condition 'NetFrameworkRegistryValue >= 460798' evaluates to true.
[08A4:25DC][2020-02-15T14:32:47]i101: Detected package: Kb4019990Windows2008R2Package, state: Absent, cached: None
[08A4:25DC][2020-02-15T14:32:47]i101: Detected package: Kb4019990Windows2012Package, state: Absent, cached: None
[08A4:25DC][2020-02-15T14:32:47]i101: Detected package: NetFrameworkPackageServer, state: Present, cached: None
[08A4:25DC][2020-02-15T14:32:47]i101: Detected package: NetFrameworkPackageServerCore, state: Present, cached: None
[08A4:25DC][2020-02-15T14:32:47]i101: Detected package: MsiPackage, state: Absent, cached: None
[08A4:25DC][2020-02-15T14:32:47]i199: Detect complete, result: 0x0
[08A4:3284][2020-02-15T14:32:47]i000: 2020-02-15 09:02:47.4508 Debug DeploymentModel .ctor [\[]DeploymentAction=Install[\]]
[08A4:3284][2020-02-15T14:32:47]i000: 2020-02-15 09:02:47.5289 Debug DeploymentModel .ctor [\[]IsAfterRestartAndConfigured=False[\]]
[08A4:3284][2020-02-15T14:33:11]i000: 2020-02-15 09:03:11.8095 Error DeploymentModel ValidateCreateSensorAsync System.IO.FileNotFoundException: Could not load file or assembly 'Ben.Demystifier, Version=0.1.0.0, Culture=neutral, PublicKeyToken=a6d206e05440431a' or one of its dependencies. The system cannot find the file specified.
File name: 'Ben.Demystifier, Version=0.1.0.0, Culture=neutral, PublicKeyToken=a6d206e05440431a'
at Microsoft.Tri.Infrastructure.SanitizationExtension.Sanitize(Exception exception)
at Microsoft.Tri.Common.CommunicationWebClient.<SendWithRetryAsync>d__9`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Tri.Common.CommunicationWebClient.<SendAsync>d__7.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Tri.Sensor.Common.WorkspaceApplicationSensorApiDeploymentProxy.<SendAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Tri.Sensor.Deployment.Bundle.UI.DeploymentModel.<ValidateCreateSensorAsync>d__52.MoveNext()

WRN: Assembly binding logging is turned OFF.
To enable assembly bind failure logging, set the registry value [\[]HKLM\Software\Microsoft\Fusion!EnableLog[\]] (DWORD) to 1.
Note: There is some performance penalty associated with assembly bind failure logging.
To turn this feature off, remove the registry value [\[]HKLM\Software\Microsoft\Fusion!EnableLog[\]].
failed connecting to service. The issue can be caused by a transparent proxy configuration [\[]WorkspaceApplicationSensorApiEndpoint=Unspecified/amdocssensorapi.atp.azure.com:443[\]]
[08A4:3284][2020-02-15T14:33:11]i000: 2020-02-15 09:03:11.8105 Info Model ValidateAsync ValidateCreateSensorAsync returned [\[]validateCreateSensorResult=FailedConnectivity[\]]
[08A4:3284][2020-02-15T14:33:53]i000: 2020-02-15 09:03:53.4862 Debug SensorBootstrapperApplication Run Engine.Quit [\[]deploymentResultStatus=1602 isRestartRequired=False[\]]
[08A4:25DC][2020-02-15T14:33:53]i500: Shutting down, exit code: 0x642
[08A4:25DC][2020-02-15T14:33:53]i410: Variable: Kb4019990Windows2008R2Exists = 0
[08A4:25DC][2020-02-15T14:33:53]i410: Variable: Kb4019990Windows2012Exists = 0
[08A4:25DC][2020-02-15T14:33:53]i410: Variable: NetFrameworkCommandLineArguments = /passive /showrmui
[08A4:25DC][2020-02-15T14:33:53]i410: Variable: NetFrameworkRegistryValue = 528049
[08A4:25DC][2020-02-15T14:33:53]i410: Variable: RebootPending = 0
[08A4:25DC][2020-02-15T14:33:53]i410: Variable: ServerLevelsServerCoreRegistryValue = 1
[08A4:25DC][2020-02-15T14:33:53]i410: Variable: ServerLevelsServerGuiShellRegistryValue = 1
[08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleAction = 5
[08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleElevated = 1
[08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleLog = C:\Users\AAWESH~2\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20200215143246.log
[08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleManufacturer = Microsoft Corporation
[08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleName = Azure Advanced Threat Protection Sensor
[08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleOriginalSource = C:\Windows\ccmcache\10\Azure ATP Sensor Setup.exe
[08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleOriginalSourceFolder = C:\Windows\ccmcache\10\
[08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleProviderKey = {ae513c9a-d60f-4ba4-9bd2-6d5ccae1c9d3}
[08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleSourceProcessFolder = C:\Windows\ccmcache\10\
[08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleSourceProcessPath = C:\Windows\ccmcache\10\Azure ATP Sensor Setup.exe
[08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleTag =
[08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleUILevel = 4
[08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleVersion = 2.0.0.0
[08A4:25DC][2020-02-15T14:33:53]i007: Exit code: 0x642, restarting: No

6 Replies

The error show a missing file error due to a bug (that will be fixed in 2.109 during next week).

The root cause of the issue is that the deployment is trying to contact the  AATP  endpoint in azure and fails. are you using a proxy?

thanks for responding so quickly.
Yes, we are using proxy.
However, it works for some DCs n not for others.
I tried running those commands. Not sure which account to use here. The service is running on local servcie n i am not sure what user n password its taking.

Also, the registry entry for default connection settings is present for the current user.

@Amin7RDR , if you are going with the registry path, make sure to do it both for local service and local system.

 

If you are using the silent installation parameters, you don't need to tweak the registry.

The credentials parameters are for the proxy in case it needs authentication, if the proxy does not require authentication, you can just supply the proxy url.

thanks a lot for the info.
proxy doesn't require authentication as far as i know.
i am trying the silent installation via powershell.