Unable to deploy Cylance PROTECT and OPTICS | Execution failed with exit code 0x643(1603)

Cylance Optics is an EDR (Endpoint Detection and Response) solution that complements Cylance Protect (An advanced endpoint protection solution that utilizes AI and ML to prevent, detect, and respond to threats on endpoints) by providing advanced threat detection, forensic data collection, and threat hunting capabilities through its cloud-based analytics back end and endpoint sensors. It aims to enhance visibility and response capabilities against various types of threats and malicious activities on endpoints.

Came across a few endpoints where Cylance PROTECT and OPTICS v 3.2.1299.0 failed to deploy on a Win 10 22H2 device. There was a Cylance Agent running on the device prior to packaged deployment of the new version. 

[Installation] :: [C:\WINDOWS\System32\msiexec.exe] is a valid fully qualified path, continue.	Execute-Process	11/06/2024 1:11:43 PM	10736 (0x29F0)
[Installation] :: Checking to see if mutex [Global\_MSIExecute] is available. Wait up to [10 minute(s)] for the mutex to become available.	Test-IsMutexAvailable	11/06/2024 1:11:43 PM	10736 (0x29F0)
[Installation] :: Mutex [Global\_MSIExecute] is available for an exclusive lock.	Test-IsMutexAvailable	11/06/2024 1:11:43 PM	10736 (0x29F0)
[Installation] :: Working Directory is [C:\WINDOWS\ccmcache\2k\Files].	Execute-Process	11/06/2024 1:11:44 PM	10736 (0x29F0)
[Installation] :: Executing [C:\WINDOWS\System32\msiexec.exe /i "C:\WINDOWS\ccmcache\2k\Files\CylanceProtect_x64.msi" REBOOT=ReallySuppress /QN PIDKEY=...... LAUNCHAPP=1 VENUEZONE="Endpoint Production" PROTECTTEMPPATH=1 REGWSC=1 /quiet /norestart /L*v "C:\WINDOWS\Logs\Software\CylanceProtect_x64_Install.log"]...	Execute-Process	11/06/2024 1:11:44 PM	10736 (0x29F0)
[Installation] :: Getting message for exit code [1603].	Get-MsiExitCodeMessage	11/06/2024 1:11:59 PM	10736 (0x29F0)
[Installation] :: Execution failed with exit code [1603].	Execute-Process	11/06/2024 1:12:00 PM	10736 (0x29F0)
[Installation] :: Bypassing Close-InstallationProgress [Mode: Silent]	Close-InstallationProgress	11/06/2024 1:12:00 PM	10736 (0x29F0)
[Installation] :: Blackberry_CylanceProtect_3.2.1000.28_x64_EN_01 Installation completed with exit code [1603].	Exit-Script	11/06/2024 1:12:00 PM	10736 (0x29F0)

Error 0x643(1603) resolves to Fatal error during installation.

Tried manual installation, but it was also failing and performing a roll back.

Cylance EDR is somewhat unpredictable, when its upgraded on an existing installation.

Solution:

  1. Uninstall all existing installation’s of Cylance tools from the enpoint.
  2. Delete all registry entries of Cylance from that machine.
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
    • HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
    • HKLM\SYSTEM\CurrentControlSet\services\
    • HKLM\Software\Cylance

Tags

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *