This article provides information about common certificate-related issues that occur on either the OSCE agent or server.
Since OSCE 11.0, there is an enhancement that ensures agent-server communication is secure and trusted.
OSCE agents uses public-key cryptography to authenticate communications that the OSCE server initiates on agents. With public-key cryptography, the server keeps a private key and deploys a public key to all agents. The public and private keys are associated with an OSCE installer-generated certificate.
During installation of the OSCE server, setup stores the certificate on the host’s certificate store. The OSCE agents use the public key to verify that incoming communications are server-initiated and valid. Then agents respond if the verification is successful.
Usually, a missing or mismatched public-key (OfcNTCer.dat) results in server-agent communication failure. Additionally, the administrator/end user may observe different symptoms such as:
- A warning message “One or more OfficeScan Agents do not have a valid OfficeScan server certificate” appears on the Dashboard after logging onto the OSCE web console.
- OSCE agents are unable to get new configuration deployed from the OSCE server and send logs/detected virus to the OSCE server even when the OSCE agents show “Online” in the agent tree.
Refer to this KB article to resolve the missing or mismatched certificate issue: "OfficeScan Agents do not have a valid OfficeScan Server certificate” appears on the dashboard.
Below are several options to deploy this certificate to the agents:
When there is a problem deploying OfcNTCer.dat to the OSCE agent or it is urgent to make the OSCE agent be able to update components from the OSCE server, disable this feature on the problematic OSCE agent:
- Unload the OSCE agent.
- Manually modify the client registry below and set it to "0" to disable the server authentication:
- For 32-bit OS
- For 64-bit OS
- For 32-bit OS
- Reload the OSCE agent and verify whether it can receive updates from the OSCE server.
Since OSCE 10.0 Hot Fix Build 1848, there is a feature that checks the integrity of program files and ensures that those files are valid by checking their digital signature before loading them.
OSCE leverages the Windows functions to check files’ digital signatures. Typically, the required certificates are downloaded and installed via Microsoft Windows Update. However, if the certificates were not installed properly or are missing (e.g. Windows Update is disabled on Windows OS or the server/client machine is placed in an isolated network), the file signature checking mechanism would fail and lead to different kinds of issues.
When Windows OS lacks necessary certificates, the following issues may occur on OSCE 10.6, 11.0, and XG:
- You are unable to install the ActiveX components of the OSCE web console, which makes it inaccessible.
- A prompt says that the AtxEnc.cab is signed by an Unknown Publisher and the file is blocked because it does not have a valid digital signature that verifies its publisher.
- The OSCE agent’s process cannot verify Inter-Process Communication (IPC).
- Files are renamed as “_Invalid” on the OSCE server.
- OSCE agents remain in the "Updating" state and fail to get their updates from the server.
- Real-Time Scan does not start after installing or upgrading.
The following OSCE versions contain the file digital signature checking in the update process.
- OSCE 10.6 Service Pack 3 Hot Fix Build 5908 and later versions
- OSCE 11.0 Hot Fix Build 1596 and later versions
The OSCE server may fail to do active update and “ActiveUpdate self integrity check fail” error appears due to pattern update failure in OfficeScan (OSCE) 11.0.
Refer to this KB article to check the required certificates via Microsoft Management Console (MMC): Verifying certificates to prevent update process and file signature checking failure in OfficeScan (OSCE).
Also refer to the following KB article to troubleshoot certificate-related issues: Import Comodo certificates to the problematic machines.
Trend Micro recommends that customers keep this setting enabled. However, if there are any issues importing those certificates for some reason, disable the checking mechanism in Update Process:
- Log on to the OSCE server as an administrator or with an administrator-level account.
- Create a copy of the aucfg.ini file in the following folders on OSCE server:
- Open the original aucfg.ini files with a text file editor (e.g. Notepad), and then add the following parameters before the line "[Debug]":
check_file_signature=0For OSCE 11.0 Service Pack 1, you need to install Hot Fix Build 3085 before adding this parameter.
- Restart the OfficeScan Master Service.
- Perform another update and verify whether the issue can be resolved.
If the OSCE server has files being renamed to “_invalid” or the OSCE agents fail to upgrade the program to the latest build, refer to this KB article to restore the renamed files: Rename the “_invalid” files on OSCE server.
Afterwards, import the necessary certificates to the OSCE server to ensure that digital signature checking can proceed successfully and prevent files from being renamed again.
The certificates can be downloaded from the following KB article: Import Comodo certificates to the problematic machines.
However, if there are any issues with importing the certificates, disable the digital signature checking feature to allow the installation or upgrade to proceed even if the necessary certificates are not present:
- On the OSCE server, go to the ..\PCCSRV installation directory.
- Make a backup copy of the ofcscan.ini file.
- Save the backup copy of ofcscan.ini file in a separate directory.
- Open the original ..\PCCSRV\ofcscan.ini file for editing using Notepad.
- Go to the [INI_SERVER_SECTION] section and change the following parameter value from "1" to "0":
CheckDigitalSignatureForHotfix=0Setting CheckDigitalSignatureForHotfix=0 will disable digital signature checking for the OSCE server. This prevents files being renamed to “_invalid”.
- Under the [Global Settings] section, add the entry below:
CheckDigitalSignatureForUpgrade=0Setting CheckDigitalSignatureForUpgrade=0 will disable the digital signature checking for OSCE agents. This allows the OSCE agent installation or upgrade to proceed successfully.
- Save the changes made to the ofcscan.ini file.
- Restart the OfficeScan Master Service.
The following KB articles describe other issues caused by the OS lacking necessary certificates: