Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Intrusion Prevention System (IPS) and Firewall Engine offline after Deep Security Agent (DSA) installation

    • Updated:
    • 24 Sep 2020
    • Product/Version:
    • Deep Security 12.0
    • Platform:
Summary

After successful installation and activation of DSA on Windows 2008 / 2008 R2 Server, the Intrusion Prevention and Firewall Engine becomes offline on Deep Security Manager (DSM) console.

The root cause of this issue is that the network engine driver was not successfully installed. Windows did not trust the driver because it is signed with SHA-2 by Microsoft. Legacy OS versions (Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2) do not support drivers signed with SHA-2.

Starting January 1, 2020, drivers used by the Deep Security Agents on Windows are signed using SHA-2 by Microsoft (and no longer dual signed using SHA1 and SHA2).

Below is the sample entries of driver verification when the DSA driver is being installed. The log entries are found in C:\Windows\INF\setupapi.dev.log.

! sig: Verifying file against specific Authenticode(tm) catalog failed! (0x800b010a)
! sig: Error 0x800b010a: A certificate chain could not be built to a trusted root authority.
sig: {_VERIFY_FILE_SIGNATURE exit(0x800b010a)} 12:46:56.642
!!! sto: An unexpected error has occurred while validating the Driver Package. Assuming that the Driver Package is unsigned. Catalog = C:\Windows\system32\DriverStore\Temp\{0b954d2c-6f52-41b1-a307-3c0e513091a1}\Package\tbimdsa.cat, Error = 800b010a
!!! sto: The driver package is considered unsigned.
!!! sto: Driver package failed signature verification.
!!! sto: Error = 800b010a
Details
Public

In order for Windows 2008 system to install the driver, apply the following updates:

Windows PlatformUpdate
Windows Server 2008 SP2Microsoft KB 4493730
Microsoft KB 4474419
Windows 7 SP1 and Windows Server 2008 R2 SP1Microsoft KB 4490628
Microsoft KB 4474419

Reference: Microsoft Support - 2019 SHA-2 Code Signing Support requirement for Windows and WSUS

Before applying the updates, uninstall the DSA:

  1. Download and apply the two Microsoft updates.
  2. Deactivate the affected DSA.
  3. Uninstall and install the DSA.
  4. Activate the agent from the DSM console.

After applying the two updates and re-installing the DSA, Intrusion Prevention and Firewall should no longer become offline.

If applying the updates didn't resolve the issue, please generate and submit the diagnostic package of DSA and DSM to Trend Micro Technical Support.

Premium
Internal
Partner
Rating:
Category:
Troubleshoot
Solution Id:
000273332
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.