Views:

To update the certificate on a Windows machine without direct internet connection:

  1. Here is the list of certificates that should be installed before enabling the Anti-Malware Feature:

    If you encountered a similar event as follows, You may download the missing certificates specified in the system event first

    general

    In the example above, you need to download and install the missing DigiCert Trusted Root G4 and VeriSign Class 3 Public Primary Certification Authority G5.

  2. Install the downloaded certificate on the affected machine with DSA.
    • Install the certificate using the batch file included in the package.
      1. Extract the zip file that you have downloaded
      2. Execute the batch file in the package with administrative privilege.
    • Install the certificates manually:
      1. Open the certificate and click the Install Certificate button.

        Install Certificate

        The Certificate Import Wizard will appear.

      2. Click Next.
      3. Select Place all certificates in the following store and click Browse.
      4. Tick Show physical stores and click Trusted Root Certification Authorities > Local Computer > OK.

        trusted root certificate store on local computer

        If Local Computer is not available under Trusted Root Certification Authorities:

        1. Open the Run window.
        2. Type "MMC" and click OK.
        3. Click the File menu and select Add/Remove Snap-in.
        4. Select Certificates on the left panel and click the Add button.
        5. In the Certificates snap-in window, select Computer account and then click Next.
        6. In the Select Computer window, select the Local computer radio button and click Finish > OK.
        7. Expand Certificates > Trusted Root Certification Authorities in the left panel and then click the Certificates folder.
        8. Click the Action menu > All tasks and then import the certificates.
        9. Click Finish. The message "The import was successful"  will appear.

          certificate was imported successfully

Alternative Solution:
The Trend Micro Deep Security Agent Support Tool can check if the target system has the required certificates or not. The tool can also import the missing certificates.
Go to the "Environment Check" tab to identify and install the missing certificates. 
For detailed information you can refer the his KB article link

You may contact the Trend Micro Technical Support to get the latest version of this tool.

 

There will no longer be sha1 signing in the future, old platforms such as Win7/2008 will need to apply MS patches to support sha2.

Customers who are using Deep Security to protect legacy OS versions (Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2) are required to have SHA-2 code signing support installed on their servers to order to successfully install or upgrade the Deep Security Agent for Windows.

Refer to this KB Article for more information: New versions of Trend Micro Deep Security agents for Windows will only be signed with SHA-2.