EDR: Sensor installation fails with error "Failed to validate upgrade package signature: 0x80096005: Facility[9] Code[6005] Severity[1] The timestamp signature and/or certificate could not be verified or is malformed."
search cancel

EDR: Sensor installation fails with error "Failed to validate upgrade package signature: 0x80096005: Facility[9] Code[6005] Severity[1] The timestamp signature and/or certificate could not be verified or is malformed."

book

Article ID: 285981

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • Upgrading the EDR sensor fails with the following message:
"Failed to validate upgrade package signature: 0x80096005: Facility[9] Code[6005] Severity[1] The timestamp signature and/or certificate could not be verified or is malformed."
  • Endpoint is not connected to the internet and cannot update the CRL or Root Certification Authorites list from Microsoft
  • Certficiate chain on the signing certificate is missing or incomplete on the upgrade.exe file in the EDR sensor installer package

Environment

  • EDR Windows Sensor: 7.x and Higher
  • Windows OS: All Supported Versions
  • Endpoints are air-gapped or disconnected from the internet

Cause

Endpoints are disconnected from the internet and have not updated their Root Certificate Authorities to include the ones needed to validate the signing certificate of the EDR sensor installer files.  "Windows updates a trusted root certificate (CTL) once a week" which may be needed to install or run signed scripts and apps.

Resolution

  1. Connect a Windows endpoint to the Internet and run Windows Update to get the latest CRL and Root Certificate Authorities.
  2. Export the VerisignRoot.cer and DigicertRoot.cer from the Internet accessible Windows endpoint. (Optionally, export SymantecIntermediate.cer and DigicertTimeStamping.cer, however they are included in the CB upgrade.exe binary.)    
                 a.  In the search bar, type 'certmgr' or 'certlm.msc'
                 b.  On the left, select Trusted Root Certification Authorities > Certificates
                 c.  Right click "DigicertRoot Assured ID Root CA"
                 d.  Select All Tasks > Export
                 e.  If the Wizard pops up hit Next, Select "DER encoded binary X.509 (.CER)"
                 f.  Name the file DigicertRoot.cer, and Finish.
                 g.  Repeat steps A-E for the "VeriSign Class 3 Public Primary Certification Authority - G5" naming the file VerisignRoot.cer.
                 h.  Optionally, export
  • "Symantec Class 3 SHA256 Code Signing CA"  (name the file SymantecIntermediate.cer) and 
  • "DigiCert SHA2 Assured ID Timestamping CA" (name the file DigicertTimeStamping.cer). 
        3.  Copy the DigicertRoot.cer and VerisignRoot.cer files to the gapped environment for deployment to Windows endpoints.
        4.  Deploy the certs remotely to gapped endpoints.  The commands can be used to deployed via MDM solution.
                 a.  Open an admin-level command prompt.
                 b.  Change to the directory containing the certificates.
                 c.  Add the VeriSign root certificate to "Trusted Root Certificate Authorities" 
certutil -addstore -f ROOT VerisignRoot.cer
                   d.  Add the Digicert root certificate to "Trusted Root Certificate Authorities" 
certutil -addstore -f ROOT DigicertRoot.cer
                    e.  Optionallly, add the two other intermediate certificates (which are included in the upgrade.exe). 
certutil -addstore CA SymantecIntermediate.cer
certutil -addstore CA DigicertTimeStamping.cer
 

Additional Information

  • The CB update.exe digital signature chain.
User-added image
Powered by Wolken Software