What vmware platform?

Hypervisor: VMware ESXi, 7.0.3, build 21313628

For us it failed on every attempt made. 

Windows Server 2022 (April Updates), vSphere 7U3 (latest), vmware Tools 12.1.5, ENS 10.7

Issue from logs is always an unlink error with "naprfctr.dll" which triggers the rollback. 

"Error: EPERM: operation not permitted, unlink '%myinstallpath%//naprfctr.dll'

In normal operation (all 3 services running) the dll is in use by apache.exe, EventParser.exe and WmiPrvSE.exe, maybe the last one is locking the file and preventing the update to work. (Handle/dll search in Sysinternals Process Explorer) 

As far as I can see naprfctr.dll and NaprfctrRes.dll are the only ePO files loaded by the wmiPrvSE.exe. This dll load is related to the windows performance metrics for the eventparser service (Registry path: "hklm\system\currentcontrolset\services\MCAFEEEVENTPARSERSRV\Performance")

In some of the rollback attempts the Tomcat-Service was stuck in "pending deletion" for me too and after an reboot it was deleted. 

Found no way to successfully update our ePO from CU15 to SP1, so we are currently stuck with CU15. 

The eperm error is files in use.

Make sure all services are stopped and stay stopped during the update install.

disable ens or any other av software

check for any other 3rd party software that might be monitoring directories, etc. (crowdstrike and many others)

Make sure no open windows to the directories

Keep also in mind that if you remove drastically ENS with ENS Removal Tool, you may register 2 DDL afterwards like explain on KB95077

Agent Handlers are inactive and stop communicating with the ePO server (trellix.com)

@cdinet Hi, as per your question on the version being used, please refer to our ticket 4-23824572231

MER files were uploaded.
Hypervisor VMware ESXi, 7.0.3, 19193900

Thanks

Actually, after a successive rollback the support told us to avoid any retry and that they were having enough data received from many customers to diagnose, and finally to stay on hold. we did communicated to our customers to do the same. We are today 8 days after our crash and 7 days after being told to stay on hold. No message from Trellix to the customers warning about possible issue, nothing added to the known issue... no intermediate status received, this is not a professional way to manage such an issue. An official statement is needed here. And customers, unaware of the risk are adding themselves to the DRP done list....

 Yes, Would also have expected an SNS notice or something... but radio silence.

I do feel sorry for the engineers at customers who cant do snapshots or backups (Cause storage issues etc) and then basically wing the update as they and the customer don't have labs to test on first, with out knowing it could break. I have delt a lot with companies and Government depts that have major resource constraints so I would sometimes have to test stuff for them on my own infrastructure.

KB96464 have been published:

Eventparser.exe and Apache.exe crashes frequently, faulting module name: ccme_base.dll is reported after you upgrade to ePO 5.10 SP1

https://kcm.trellix.com/corporate/index?page=content&id=KB96464