Purpose

This will help you identify agent issues caused by out of date root certificates.

• Cannot install or update agent binaries in Shavlik Protect
• Installing or updating Protect agent binaries fails
• The agent interface installs, but the the scanning engines, such as patch, threat, and asset engines, are missing

The STAgentUpdater.log file returns entries similar to:

2012-02-20T16:03:43.9185682Z 0790 W SingleFileDownload.cpp:340 Signature check failed - C:\ProgramData\Shavlik Technologies\Agent Data\protect.manifest.cab

2012-02-20T16:03:43.9653700Z 0790 E STAgentUpdater.cpp:629 Update failed with error: class STCore::CInvalidOperationException at XmlDomManagement.cpp:356: Error loading XML document from 'C:\ProgramData\Shavlik Technologies\Agent Data\Protect.manifest.xml': The system cannot locate the object specified.

<somepatch>.msi failed signature check

Cause

The root certificates on the target agent machine are expired or out of date.

Solution

To resolve this issue the root certificates of the client (agent) machine must be updated. You can apply the updates using Protect.

To Apply the Updates:

1. Create a custom patch scan template that includes the patch type filter Security Tools.
2. Run a scan on the target machine and then look for the bulletins MSRC-001 or MSRC-002.

Related Document: How to Find/Exclude Specific Patches in Scan Results.

MSRC-001 is for Windows XP and 2003. For newer operating systems, such as Vista, 2008, and Windows 7, the root certificates are automatically updated if the machine is connected to the Internet. However, if you have to apply the update manually, you should be able to deploy MSRC-002 from Protect.

You cannot update root certificates on operating systems that are not within the Microsoft support lifecycle. Ensure that you are using a supported operating system and service pack level.

In the event the computer is not connected to the internet to automatically update these files they must be downloaded/distributed manually. Though Protect designates 2 different Bulletin Id's for root certificates (MSRC-001 & MSRC-002), they both use the same patch from Microsoft. If root certificates need to be installed, but protect is unable to do so, download the patch directly from Microsoft and run.

Download Here

When you run the exe, it will run and vanish. It will not give a completion message.

Patch states it is for XP, but if you read the article below under the section "Root update package installation on disconnected environments" it states it works on other OS's as well.

Microsoft Article:Windows Root Certificate Program members

Affected Product(s)

Shavlik Protect 9.x