Verifying certificates to prevent update process and file signature checking failure in OfficeScan (OSCE)

Typically, the required certificate will be installed and updated via Microsoft Windows Update. In certain environments (e.g. air-gapped or central managed certificate store), customers may verify if the following required certificates exist to make sure that the update process would not fail:

1. Go to Start > Run.
2. Execute the following command: “certmgr.msc”.
3. Check if the following certificates exist in the local computer:
   • SHA1:
     • Root CA

       Subject: VeriSign Class 3 Public Primary Certification Authority - G5
       Serial number: 18 da d1 9e 26 7d e8 bb 4a 21 58 cd cc 6b 3b 4a
       Thumbprint: 4e b6 d5 78 49 9b 1c cf 5f 58 1e ad 56 be 3d 9b 67 44 a5 e5
       Valid from 2006/11/08 to 2036/07/17

        

       If this certificate is not installed on the local computer, it will fail to recognize the SHA-2 certificate when the package contains both SHA-1 and SHA-2 even with Microsoft KB3033929 installed.
     • Intermediate cert

       Subject: VeriSign Class 3 Code Signing 2010 CA
       Serial number: 52 00 e5 aa 25 56 fc 1a 86 ed 96 c9 d4 4b 33 c7
       Thumbprint: 49 58 47 a9 31 87 cf b8 c7 1f 84 0c b7 b4 14 97 ad 95 c6 4f
       Valid from 2010/02/08 to 2020/02/08

   • SHA1-Countersignatures:
     • Root CA

       Subject: UTN-USERFirst-Object
       Serial number: 44 be 0c 8b 50 00 24 b4 11 d3 36 2d e0 b3 5f 1b
       Thumbprint: e1 2d fb 4b 41 d7 d9 c3 2b 30 51 4b ac 1d 81 d8 38 5e 2d 46
       Valid from 1999/07/10 to 2019/07/10

   • SHA2:
     • Root CA

       Subject: Class 3 Public Primary Certification Authority
       Serial number: 70 ba e4 1d 10 d9 29 34 b6 38 ca 7b 03 cc ba bf
       Thumbprint: 74 2c 31 92 e6 07 e4 24 eb 45 49 54 2b e1 bb c5 3e 61 74 e2
       Valid from 1996/01/29 to 2028/08/02

     • Intermediate cert

       Subject: VeriSign Class 3 Public Primary Certification Authority - G5
       Serial number: 25 0c e8 e0 30 61 2e 9f 2b 89 f7 05 4d 7c f8 fd
       Thumbprint: 32 f3 08 82 62 2b 87 cf 88 56 c6 3d b8 73 df 08 53 b4 dd 27
       Valid from 2006/11/08 to 2021/11/08

     • Intermediate cert

       Subject: Symantec Class 3 SHA256 Code Signing CA
       Serial number: 3d 78 d7 f9 76 49 60 b2 61 7d f4 f0 1e ca 86 2a
       Thumbprint: 00 77 90 f6 56 1d ad 89 b0 bc d8 55 85 76 24 95 e3 58 f8 a5
       Valid from 2013/12/10 to 2023/12/10

   • SHA2-Countersignatures:
     • Root CA

       Subject: Thawte Timestamping CA
       Serial number: 00
       Thumbprint: be 36 a4 56 2f b2 ee 05 db b3 d3 23 23 ad f4 45 08 4e d6 56
       Valid from 1997/01/01 to 2021/01/01

     • Intermediate cert

       Subject: Symantec Time Stamping Services CA - G2
       Serial number: 7e 93 eb fb 7c c6 4e 59 ea 4b 9a 77 d4 06 fc 3b
       Thumbprint: 6c 07 45 3f fd da 08 b8 37 07 c0 9b 82 fb 3d 15 f3 53 36 b1
       Valid from 2012/12/21 to 2020/12/31

Root CA means insert into Root Store (Trusted Root Certificate Authorities).

Intermediate cert means insert into Intermediate Certificate Authorities.

Trend Micro recommends that customers keep this setting enabled. However, if the customer cannot import this certificate for some reason, disable the checking mechanism:

1. Open the aucfg.ini file in the following folders of the OSCE server:
   • "\PCCSRV\web\service"
   • “\PCCSRV\WSS”
   • “\PCCSRV\LWCS”

2. Add the following parameters before the line "[Debug]":

   • check_file_signature=0
   • check_digital_signature=0
    

   For OSCE 11.0 SP 1, the customer would need to install Hot Fix Build 3085 before adding this parameter.