Error: "Not Connected to ThreatPulse - Failure Mode (Closed)" in Unified Agent/WSS Agent; cannot connect to Internet

book

Article ID: 167008

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

The Symantec Unified Agent/WSS Agent cannot connect to the Internet. In the GUI you see the error, "Not Connected to ThreatPulse - Failure Mode (Closed)."

  • Error: Not Connected to ThreatPulse - Failure Mode (Closed)
  • Error: Server's certificate failed validation at depth: 1, CN = Entrust Certification Authority - L1C, error = unable to get local issuer certificate
  • Error: Switching to DENY mode since the certificate was invalid

Resolution

To resolve the issue, install the Entrust CA (2048) root certificate onto the workstation. You can manually download the certificate from Entrust's site, or you can download the latest Microsoft root certificate update from Microsoft's website. This document includes both ways of updating the client. 

Note: The workstation is effectively shut down and cannot reach the Internet. You can download the necessary updates to a USB stick and install it onto the affected workstation from the USB drive. If that is not possible to do, then uninstall the client, install the Entrust CA (2048) certificate using one of the methods below, and reinstall the Unified Agent/ WSS Agent.

Downloading the Entrust CA (2048) Root Certificate from Entrust.net

  1. Go to https://www.entrust.com/get-support/ssl-certificate-support/root-certificate-downloads/
  2. Select Entrust.net Certificate Authority (2048) (file download entrust_2048_ca.cer). You can also download the file directly.
  3. Double click on the downloaded root certificate and install it into the workstations root certificate store.
  4. If the client is still installed on the workstation, reboot the workstation. Once the certificate is properly installed, then the errors go away. If a single reboot doesn't remedy the problem, you may want to try another reboot.
  5. If UA installs but does not run on Windows 7, see Unified Agent unable to connect on unpatched Windows 7.

NOTE:  On some workstations that have not been updated in a long time, or workstations that do not have any patches beyond Windows XP SP3, that even with the Entrust Root CA (2048) installed, the client continues to return the L1C error as described in the problem description. The work-around it is to go to https://support.microsoft.com/kb/931125 and download and install the latest root certificate update patch. Even with a workstation that has Windows XP SP3 unpatched beyond SP3, installing the root cert update from KB931125 is sufficient to get the client installed and working. Symantec does not recommend that customers run with computers that far out of date. Computer operating systems that are out of date can be exposed to security vulnerabilities in the operating system.

Downloading Root Certificates from Microsoft

For Windows XP users, about once per quarter, Microsoft updates their root certificates. Symantec recommends that the latest root certificate update is installed on the workstation via Windows Update under the "Optional" downloads section. Microsoft KB931125 (http://support.microsoft.com/kb/931125) documents the process for the various Windows OSes.

Troubleshooting

Unified Agent:

Right-click on the Unified Agent icon in the system tray and select Status > Advanced > Show File. Search the log file for "Entrust Certification Authority" to see if the log contains the error in the problem that is described above. If so, then download the Entrust CA (2048) certificate and install it on the workstation.

WSS Agent:

Right-click on the WSS Agent icon in the system tray and select Open Symantec WSS Agent > Support. Search the log file for "Entrust Certification Authority" to see if the log contains the error in the problem that is described above. If so, then download the Entrust CA (2048) certificate and install it on the workstation.

Additional Information

Unified Agent/WSS Agent uses the Entrust CA (2048) root certificate. This error occurs when the Entrust CA (2048) root certificate is not installed on the workstation. When the client is installed in interactive mode, it detects if the root certificate is installed. If the Entrust CA (2048) is not installed, then the client installation fails. However, when the client is run in non-interactive mode (/quiet switch used), then the root certificate check is not performed and the client installs. Clients newer than 1.4.12000.0 checks for the Entrust Root CA (2048) in both interactive and non-interactive mode. Unified Agent/WSS Agent always checks for the Entrust certificate before install. If you experience a problem with the client not checking for the Entrust root cert, go to https://portal.threatpulse.com/ and download the latest version of the client and rerun your test. If it continues to be an issue, then please contact Symantec Technical Support and open a service request.

How to delete an expired entrust certificate from MacOS?

  1. Restart system in Recovery mode to disable SIP (csrutil disable)
  2. Restart system for SIP change to take effect
  3. Remove expired Entrust cert based on hash
    sudo security delete-certificate -Z 801D62D07B449D5C5C035C98EA61FA443C2A58FE /System/Library/Keychains/SystemRootCertificates.keychain
  4. Restart system in Recovery mode to enable SIP (csrutil enable)
  5. Restart system for SIP change to take effect

The process for installing entrust certificate on macOS is the same as windows where you need to double click on the downloaded root certificate and install it on the machine.