Endpoint Protection

Has anyone else noticed the following error in your Windows Application event logs on only your SEP clients (i.e. I don't see these on SAVCE systems)?  This came from my Altiris server although I see a similar message on our XP workstations except the text at the end instead says "An internal certificate chaining error has occurred."  I have an open case with Symantec but tech support has yet to find the source of these errors.  Note that I don't get these errors on an unmanaged SEP client.  Let me know if you have any ideas.  Thanks!


Event Type: Error
Event Source: crypt32
Event Category: None
Event ID: 11
Date:  1/12/2010
Time:  10:31:58 AM
User:  N/A
Computer: CCHALTIRIS
Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A certificate chain could not be built to a trusted root authority.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
 

Crypt32 error 8 in the log is expected if you are running in a proxy environment and have not setup proxy credentials for the SYSTEM account on the system.  Error 11 is indicating that the signed third party root update from MS can't be extracted.  It sounds like you have an expired root certificate in your environment.  You should apply the root cert update directly from Microsoft.

The reason you see this with SEP is that we digitally sign our modules (which is a best practice) AND we confirm their signatures at run time (this is for security reasons).  During that verification cryptoapi automatically attempts to update it's trusted root list.

Cheers,
Bill

Here check this out: http://www.eventid.net/display.asp?eventid=11&eventno=2686&source=crypt32&phase=1

Much of its' content below

==============================================================

Adrian Grigorof (Last update 12/4/2008):
The 0x800B0101 error means CERT_E_EXPIRED or "This certificate trust list is not valid. The certificate that signed the list is not valid."

From a post from a MS engineer: "It appears that your system is attempting to download an expired update of the the trusted root authorities. If your applications using SSL are working ok this is not a problem and will likely be a transient issue."

From a newsgroup post: "I have manage to solve the this error by downloading the authrootstl.cab manually and installed the certifcate manually too. I have not seen the error event anymore since then. I also replaced the crypt32.dll just to be on the safe side."

Analyzing the Update.log  and iuhist.xml files may provide additional information on why this error occured

* * *

According to Microsoft you should check permissions on the temporary directory where the cabinet files is downloaded:
- Navigate to the temporary directory on the local computer. By default, the temporary directory is located at %userprofile%\AppData\Local\Temp.
- Right-click the temporary directory, and then click Properties.
- Click the Security tab.
- Ensure that the user account logged on to the computer has Full Control permissions.

You can verify that the Automatic Root Certificates Update component is working properly by using a Web browser to open a Web site that requires the Automatic Root Certificates Update component. When you open this Web site, a new root certificate is downloaded from the Microsoft Windows Update Web site. If the certificate is downloaded successfully, Event ID 1 in the Microsoft-Windows-CAPI2 event source will be written to the event log.

* * *

Error: The directory name is invalid. - A Microsoft support engineer considered that this is caused by a revoked certificate and recommended M329433 for a hotfix.

Geert Zandman (Last update 10/8/2003):
I had this problem and in my the system time was wrong, it was 2080 not 2003 so the certificates where no longer valid. I don't know who or how the system time was changed, but I saw w32time event id's in the event log as well.

Hi Clint,

Here's Symantec's article about the Event ID 8 issue, which I suspect has the same root cause.... Several Events ID 8 about crypt32 after installing Symantec Endpoint Protection (SEP)

Please let the forum know if this helps!

Thanks and best regards,

Mick

I already knew about using "proxycfg -u" to eliminate Event ID 8 errors where I'm instead seeing Event ID 11 errors in the Application event log of all my SEP clients I've checked thus far.  MS KB article 329433 regarding the selection of a revoked certificate sounds close although I'm getting the errors on my W2k3 servers as well for which the article doesn't apply to.  An expired root certificate could be a possibility but how do I figure out which one(s) in my domain is causing these errors?  Guess I don't know what trusted root list cryptoapi is automatically checking every 30 minutes on our SEP clients.

Clint

I have found the root cause of this issue. No one in Symantec could tell me the root cause, I figured it out for myself in the end. If you are getting Event ID 8 errors in the Event Log after installing SEP, its because SEP is using a self-signed certificate for client-server communication. Windows attempts to find the trusted root for the certificate, but because the computer account has no proxy set (or no proxy access), the update fails. This is triggered more often after SEP is installed as SEP keeps trying to use the self signed certificate.