Azure Code Signing (ACS) Certificate Integrity Checking Enhancement for Trend Micro Apex One

Product / Version includes:

Last updated: 2023/05/26

Solution ID: KA-0014129

Category: SPEC , Update

Summary

Beginning in mid-February 2023, the cross-signing certificate used in the products listed below will expire and can no longer be renewed. Any customer wishing to apply a new patch, hotfix, or updated product binary to any of the Trend Micro products listed below must be running a version of Microsoft Windows that has been updated to support the Azure Code Signing (ACS) program, which replaced the deprecated cross-signing program.
For more information please refer to: IMPORTANT BULLETIN: Trend Micro Server and Endpoint Protection Agent Minimum Windows Version Requirements for Updated Binaries After Mid-February 2023

If you do not have the minimum OS build/patch of Microsoft Windows beginning in mid-February 2023, you may encounter errors where the Trend Micro security agent service(s) would fail to start after applying an updated binary signed with ACS.

To prevent this, Trend Micro has added Security Agent enhancements to detect and block program update or fresh installation on under-patched Windows platforms.

The ACS Certificate Integrity Checking Enhancement will be added from:

Apex One as a Service March 2023 maintenance – (Block New Agent Installation & Block Program Upgrade)*
Apex One On-Premise March Critical Patch release – (Block New Agent Installation & Block Program Upgrade)*

The non-ACS program upgrade blocking is a best effort implementation to prevent accidental deployment of new build on non-ACS compliant system.

Customers are strongly advised to apply appropriate MS KB immediately to enable ACS support before deploying latest Apex One builds.

Important notice on Non-ACS blocking enhancement:

On some environment, the ACS compliant detection logic may not work correctly and fail to block program updates on non-ACS compliant systems.
If current agent build is at Dec 2022 build(11960) or lower, user might experience high network usage due to repeated downloads of program upgrade module.
Non-ACS supported endpoint may remain unnoticed at an old build missing out on critical security fixes that may increases vulnerability of the system.

Please refer to the summary table for Trend Micro recommendations:

ACS Compliance Level	Recommendation	Other Info
All systems are ACS compliant	Can apply latest build without any issues	Can upgrade agents to latest build without issues
All systems are not ACS compliant	Disable Agent program upgrade before applying latest hot fix or patch. Please install appropriate Windows KB before applying re-enabling program upgrade. Warning: It is recommended to separate the systems by grouping and to upgrade only ACS compliant systems.	In-place upgrade using EXE or MSI package will also do ACS check and block if not compliant.
Systems are partially ACS compliant

If the target endpoint does not have the required Windows updates, the following messages will be shown:

Applying Patch on Apex One server (On-Premise)

^{Click the image to enlarge.}
Fresh Installation of Apex One Security Agent:
- Popout message (Standalone MSI Installer)
  
  ^{Click the image to enlarge.}
- Web Console Remote Installation (On-Premise)
  
  ^{Click the image to enlarge.}
Program Update: Application Event Logs will have recorded events below. (Security Agent will stay on current version)

^{Click the image to enlarge.}

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Azure Code Signing (ACS) Certificate Integrity Checking Enhancement for Trend Micro Apex One

Azure Code Signing (ACS) Certificate Integrity Checking Enhancement for Trend Micro Apex One

Product / Version includes:

Summary