Control Manager has a new enhancement in the update process that checks the integrity of downloaded files before loading them.
TMCM 6.0 SP3 Patch 1 Hot Fix Build 3241 and later versions contain the added file signature checking in the update process:
The required certificates for file integrity checking are automatically downloaded and installed via Microsoft Windows Update. However, if certificates are not properly installed or are missing, the file signature checking mechanism fails and the update process terminates.
In certain environments such as air-gapped or centrally-managed certificate stores, the TMCM server may not access Microsoft Windows Update to download digital certificates for validating the integrity of downloaded files. The TMCM server cannot load any new pattern and engine updates.
The customer has tried to import the digital certificates manually, but does not know where to place them in the Certificate Manager (certmgr.msc).
Customers can verify if the required certificates exist by doing the following:
- Go to Start > Run.
- Execute the following command:
certmgr.msc
- Check if the following certificates exist under Certificates (Local Computer): "Root CA" in the list below means to go into Trusted Root Certificate Authorities > Certificates.
"Intermediate cert" in the list below means to go into Intermediate Certificate Authorities > Certificates.
- SHA-1:
- Root CA
Subject: VeriSign Class 3 Public Primary Certification Authority - G5
Serial number: 18 da d1 9e 26 7d e8 bb 4a 21 58 cd cc 6b 3b 4a
Thumbprint: 4e b6 d5 78 49 9b 1c cf 5f 58 1e ad 56 be 3d 9b 67 44 a5 e5
Valid from 2006/11/08 to 2036/07/17 - Intermediate cert
Subject: VeriSign Class 3 Code Signing 2010 CA
Serial number: 52 00 e5 aa 25 56 fc 1a 86 ed 96 c9 d4 4b 33 c7
Thumbprint: 49 58 47 a9 31 87 cf b8 c7 1f 84 0c b7 b4 14 97 ad 95 c6 4f
Valid from 2010/02/08 to 2020/02/08
- Root CA
- SHA-1 Countersignatures:
- Root CA
Subject: UTN-USERFirst-Object
Serial number: 44 be 0c 8b 50 00 24 b4 11 d3 36 2d e0 b3 5f 1b
Thumbprint: e1 2d fb 4b 41 d7 d9 c3 2b 30 51 4b ac 1d 81 d8 38 5e 2d 46
Valid from 1999/07/10 to 2019/07/10
- Root CA
- SHA-2:
- Root CA
Subject: Class 3 Public Primary Certification Authority
Serial number: 70 ba e4 1d 10 d9 29 34 b6 38 ca 7b 03 cc ba bf
Thumbprint: 74 2c 31 92 e6 07 e4 24 eb 45 49 54 2b e1 bb c5 3e 61 74 e2
Valid from 1996/01/29 to 2028/08/02 - Intermediate cert
Subject: VeriSign Class 3 Public Primary Certification Authority - G5
Serial number: 25 0c e8 e0 30 61 2e 9f 2b 89 f7 05 4d 7c f8 fd
Thumbprint: 32 f3 08 82 62 2b 87 cf 88 56 c6 3d b8 73 df 08 53 b4 dd 27
Valid from 2006/11/08 to 2021/11/08 - Intermediate cert
Subject: Symantec Class 3 SHA256 Code Signing CA
Serial number: 3d 78 d7 f9 76 49 60 b2 61 7d f4 f0 1e ca 86 2a
Thumbprint: 00 77 90 f6 56 1d ad 89 b0 bc d8 55 85 76 24 95 e3 58 f8 a5
Valid from 2013/12/10 to 2023/12/10
- Root CA
- SHA-2 Countersignatures:
- Root CA
Subject: Thawte Timestamping CA
Serial number: 00
Thumbprint: be 36 a4 56 2f b2 ee 05 db b3 d3 23 23 ad f4 45 08 4e d6 56
Valid from 1997/01/01 to 2021/01/01 - Intermediate cert
Subject: Symantec Time Stamping Services CA - G2
Serial number: 7e 93 eb fb 7c c6 4e 59 ea 4b 9a 77 d4 06 fc 3b
Thumbprint: 6c 07 45 3f fd da 08 b8 37 07 c0 9b 82 fb 3d 15 f3 53 36 b1
Valid from 2012/12/21 to 2020/12/31
- Root CA
- SHA-1:
If the customer cannot import the certificates successfully for any reason, a less secure alternative is to disable signature checking:
- Open the “C:\Program Files\Trend Micro\Control Manager\aucfg.ini” file using Notepad.
- Manually add the following key and set it to "0":
- check_file_signature=X
Where:
X=0 disables file signature checking.
X=1 enables file signature checking.
- check_file_signature=X
- Save the changes to the aufg.ini file.
- Restart the Trend Micro Control Manager service.
