Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Trend Micro products and Microsoft’s SHA-1 deprecation policy for code signing

    • Updated:
    • 25 Apr 2016
    • Product/Version:
    • OfficeScan 10.6
    • OfficeScan 11.0
    • Worry-Free Business Security Services 5.7
    • Worry-Free Business Security Services 5.8
    • Worry-Free Business Security Standard/Advanced 8.0
    • Worry-Free Business Security Standard/Advanced 9.0
    • Platform:
    • N/A N/A
Summary

According to Microsoft Security Advisory 2880823, Microsoft has announced that they will no longer allow root certificate authorities to issue X.509 certificates using the SHA-1 hashing algorithm for the purposes of SSL and code signing after January 1, 2016.

In response to the code signing piece of the new policy, Trend Micro solutions have been modified as needed to include both SHA-1 and SHA-2 certificate in all products to support this policy.

Details
Public

Scope

Trend Micro has tested products on the platforms listed below to make sure the new policy is supported.

  • Windows Vista SP2, Windows Server 2008 SP2, Windows 2000 SP4, Windows XP SP3 and Windows Server 2003 SP2 are not in the scope of SHA-1 deprecation policy and can only recognize SHA-1 certificates.
  • Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, Windows 10, Windows Server 2012 and Windows Server 2012 R2 are in the scope of SHA-1 deprecation policy.

All new software packages created after January 1, 2016 will use SHA-2 certificates for code signing. Customers on Windows versions listed under the required actions must ensure they have applied the required hot fixes to enable SHA-2 compatibility.

Customers deploying (or reinstalling) current versions of Trend Micro software that are originally created and released before January 1, 2016, may still use the SHA-1 versions.

Required Actions

Users running Windows 7 (including SP1) and Windows Server 2008 R2 / R2 SP1 are required to install hot fixes outlined in Microsoft Security Advisory 3033929 to enable SHA-2 compatibility. Users on Windows 8 and above, as well as Windows Server 2012 and above, already have this compatibility built-in.

In addition, several Trend Micro products rely on public root certificates. Most Windows systems can automatically receive updates online, however, there are instances where isolated or offline machines may not be able to receive these. Customers who receive error messages regarding a missing or outdated VeriSign Class 3 Public Primary Certification Authority G5 in the host machine’s Trusted Root Certificate Authorities store are advised to obtain the necessary certificate and manually apply or update it using the information in the following Microsoft article.

Premium
Internal
Rating:
Category:
Configure
Solution Id:
1113199
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.