Views:

Apex One agents use public-key cryptography to authenticate communications that the Apex One server initiates on agents. With public-key cryptography, the server keeps a private key and deploys a public key to all agents. The public and private keys are associated with an Apex One installer-generated certificate.

During the installation of the Apex One server, setup stores the certificate on the host’s certificate store. The security agents use the public key to verify that incoming communications are server-initiated and valid. Then agents respond if the verification is successful.

Usually, a missing or mismatched public key (OfcNTCer.dat) results in server-agent communication failure. Additionally, the administrator/end-user may observe different symptoms such as:

  • A warning message “One or more Security Agents do not have a valid Apex One server certificate” appears on the Dashboard after logging onto the Apex One web console.
  • Apex One agents are unable to get new configurations deployed from the Apex One server and send logs/detected virus to the Apex One server even when the Apex One agents show “Online” in the agent tree.

Refer to this KB article to resolve the missing or mismatched certificate issue: "Apex One Agents do not have a valid Apex One Server certificate” appears on the dashboard.

Below are several options to deploy this certificate to the agents:

Since Apex One 10.0 Hot Fix Build 1848, there is a feature that checks the integrity of program files and ensures that those files are valid by checking their digital signature before loading them.

Apex One leverages the Windows functions to check files’ digital signatures. Typically, the required certificates are downloaded and installed via Microsoft Windows Update. However, if the certificates were not installed properly or are missing (e.g. Windows Update is disabled on Windows OS or the server/client machine is placed in an isolated network), the file signature checking mechanism would fail and lead to different kinds of issues.

When Windows OS lacks necessary certificates, the following issues may occur on Apex One 10.6, 11.0, and XG:

  • You are unable to install the ActiveX components of the Apex One web console, which makes it inaccessible.
  • A prompt says that the AtxEnc.cab is signed by an Unknown Publisher and the file is blocked because it does not have a valid digital signature that verifies its publisher.
  • The security agent’s process cannot verify Inter-Process Communication (IPC).
  • Files are renamed as “_Invalid” on the Apex One server.
  • Security agents remain in the "Updating" state and fail to get their updates from the server.
  • Real-Time Scan does not start after installing or upgrading.

The Apex One server may fail to do active update and “ActiveUpdate self integrity check fail” error appears due to pattern update failure in Apex One (Apex One) 11.0.

Refer to this KB article to check the required certificates via Microsoft Management Console (MMC): Verifying certificates to prevent update process and file signature checking failure in Apex One (Apex One).

Also refer to the following KB article to troubleshoot certificate-related issues: Import Comodo certificates to the problematic machines.

If the Apex One server has files being renamed to “_invalid” or the Apex One agents fail to upgrade the program to the latest build, refer to this KB article to restore the renamed files: Rename the “_invalid” files on Apex One server.

Afterwards, import the necessary certificates to the Apex One server to ensure that digital signature checking can proceed successfully and prevent files from being renamed again.

The certificates can be downloaded from the following KB article: Import Comodo certificates to the problematic machines.

However, if there are any issues with importing the certificates, disable the digital signature checking feature to allow the installation or upgrade to proceed even if the necessary certificates are not present:

  1. On the Apex One server, go to the ..\PCCSRV installation directory.
  2. Make a backup copy of the ofcscan.ini file.
  3. Save the backup copy of ofcscan.ini file in a separate directory.
  4. Open the original ..\PCCSRV\ofcscan.ini file for editing using Notepad.
  5. Go to the [INI_SERVER_SECTION] section and change the following parameter value from "1" to "0":

    CheckDigitalSignatureForHotfix=0

     
    Setting CheckDigitalSignatureForHotfix=0 will disable digital signature checking for the Apex One server. This prevents files being renamed to “_invalid”.
     
  6. Under the [Global Settings] section, add the entry below:

    CheckDigitalSignatureForUpgrade=0

     
    Setting CheckDigitalSignatureForUpgrade=0 will disable the digital signature checking for Apex One agents. This allows the Apex One agent installation or upgrade to proceed successfully.
     
  7. Save the changes made to the ofcscan.ini file.
  8. Restart the Apex One Master Service.

The following KB articles describe other issues caused by the OS lacking necessary certificates:

Files are renamed as "_invalid" in the Apex One (Apex One) server

Keywords: ofcntcer.dat,certificate,update fail,upgrade fail,active update error,comodo certificate ,Comodo certificates,CheckDigitalSignatureForHotfix,CheckDigitalSignatureForUpgrade,_invalid file extension,verify the certificates are valid,certificate,certificates
Comments (0)