Starting with OSCE 10.6 SP3, Trend Micro has used Comodo certificates for digital signature verification.
If the OfficeScan server and client have Windows update disabled or are placed in isolated network environments, it may not obtain Comodo certificates for their trusted certificate store.
For the OSCE server and client machines which do not have these certificates, the following issues may occur:
- You are unable to install the ActiveX components of the OfficeScan web console, which makes it inaccessible.
A prompt says that the AtxEnc.cab is signed by an Unknown Publisher and the file is blocked because it does not have a valid digital signature that verifies its publisher.
- OfficeScan clients remain in "Updating" state and fail to get their updates from the server.
- The OfficeScan server cannot verify the agents' digital signatures during Inter-Process Communication (IPC).
These issues occur when OSCE is installed on a Windows machine without direct Internet connection for downloading certificate updates.
To resolve this issue:
- Download the root and intermediate certificates from the following Comodo links:
- Install each certificate on the affected OSCE server.
- Open the certificate and click the Install Certificate button to open AddTrustExternalCARoot.crt and UTN-USERFirst-Object.crt.
- Click Next when the Certificate Import Wizard appears.
- For Windows 2012, select Local Machine and click Next.
- Select Place all certificates in the following store and click Browse.
- Check the Show physical stores > Trusted Root Certification Authorities > Local Computer, and then click OK. For Domain users, please refer to this external article.
- Click Finish. "The import was successful message" should appear.
- Repeat the steps above for COMODOCodeSigningCA2.crt and UTNAddTrustObject_CA.crt, and then choose Intermediate Certification Authorities when selecting Certificate Store.
The certificate-related issues should be resolved.
If manually adding the Comodo certificates and performing a Windows Update does not work, check for a Group Policy Object (GPO) that turns off Automatic Root Certificates Update:
- Go to Computer Configuration > Policies > Administrative Templates > System > Internet Communication Management > Internet Communication Settings > "Turn off Automatic Root Certificates Update".
- Make sure that the value is set to "Not configured" (default value).