Jump to content
sethwh

KSC 10 Insallation Packages Update - Signature Mismatch

Recommended Posts

Hello,

I've been running KSC 10 (Recently updated to 10.4.343) with Windows 7, 8 and  2012 R2 clients with no problem. We recently updated some workstations to Windows 10 and they needed a newer version of KES.

Now when I update to add KES 11 it only downloads 84% and hangs with this error in event viewer:

Failed to download file 'https://aes.s.kaspersky-labs.com/endpoints/keswin11/11.0.1.90/english-2778499/bb0e36ac/keswin_11.0.1.90_en_aes56.exe'. #1200 Signature mismatch for file 'C:\ProgramData\KasperskyLab\adminkit\1093\.working\wusfiles\1F\~1FF550A61EBFA43276C90EBE80DED960~.download': 'System error 0x800B0109 (A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.)

I was able to download the updated Windows Server client but the Workstation client won't download. I've updated repositories and removed the temp downloads to see if that would help but it did not.

Do I need to manually download KES and create in installation packages that way?

 

Share this post


Link to post

Sure,

I click on Remote Installation -> Installation packages -> Additional actions (drop down) -> View current version of Kaskpersky Lab applications

Then I click one of the options like Kaspersky Endpoint Security 11 (lite and strong encryption) and click download and create installation package.

Two errors are generated in the event viewer for KSC:

Error ID 1

Signature mismatch for file 'C:\ProgramData\KasperskyLab\adminkit\1093\.working\wusfiles\1F\~1FF550A61EBFA43276C90EBE80DED960~.download'. #1181 (-2146762487) System error 0x800B0109 (A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.)

Warning ID 1

Failed to download file 'https://aes.s.kaspersky-labs.com/endpoints/keswin11/11.0.1.90/english-2778499/bb0e36ac/keswin_11.0.1.90_en_aes56.exe'. #1200 Signature mismatch for file 'C:\ProgramData\KasperskyLab\adminkit\1093\.working\wusfiles\1F\~1FF550A61EBFA43276C90EBE80DED960~.download': 'System error 0x800B0109 (A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.)

The download never goes beyond 84% sometimes doesn't even get that far.

Share this post


Link to post

Hello!

It may seem that the certificate on this machine may be corrupted. 

Is it possible to re-connect the machine via reinstalling the network agent or using the utility klsrvswitch? 

Thanks!

Share this post


Link to post

I'm sorry if I wasn't clear... I can install KES client to windows 10 machines but the version I have on the server is unstable with recent updates of Windows 10. So I went to the KSC admin console to update the clients available as Installation Packages and that's were the download is failing. Not to the clients but to the server. 

Share this post


Link to post

Thank you. I downloaded 11.0.1.90 exe and unpacked the .kud files to create an installation package. I was able to install it on a Windows 10 machine. Not a big deal to do this but having the "download and create installation package" working from within the admin console is nice feature to have. I can reboot this server over the weekend and see if that might help with the mismatch.

Share this post


Link to post

Hi, i'm also having exactly the same issue after upgrading to KSC 10.4.343. I've rebooted the server and checked our firewall and can't see any issue.

I'm also having problems deploying Endpoint Security 11 to machines. I've created the installation package but it times out after 30 minutes with the error "The time interval allocated for the remote installation task expired. The task on this device will be marked as failed." It seems to copy across the files fine but it's doesn't seem to run the setup element. I'm wondering if i didn't follow the correct procedure to create the installation package.

I've tried deploying older versions of Version 10 like 10.3.0.6294 and that works fine. 

I've had to create a standalone package and run that from the machine but it's not ideal.

Any help would be appreciated

Share this post


Link to post
2 часа назад, MattM сказал:

Hi, i'm also having exactly the same issue after upgrading to KSC 10.4.343. I've rebooted the server and checked our firewall and can't see any issue.

I'm also having problems deploying Endpoint Security 11 to machines. I've created the installation package but it times out after 30 minutes with the error "The time interval allocated for the remote installation task expired. The task on this device will be marked as failed." It seems to copy across the files fine but it's doesn't seem to run the setup element. I'm wondering if i didn't follow the correct procedure to create the installation package.

I've tried deploying older versions of Version 10 like 10.3.0.6294 and that works fine. 

I've had to create a standalone package and run that from the machine but it's not ideal.

Any help would be appreciated

Hello!

Please provide us with the full GSI from KSC server.

Tank you!

Share this post


Link to post

Hello,

I have the same problem, trying to download KESB 11 Strong encryption into the Security Centre at 2 distinct client sites. It stops at 84% and logs this error: "Failed to download file 'https://aes.s.kaspersky-labs.com/endpoints/keswin11/11.0.1.90/english-2778499/bb0e36ac/keswin_11.0.1.90_en_aes256.exe'. #1200 Signature mismatch for file 'C:\ProgramData\Application Data\KasperskyLab\adminkit\1093\.working\wusfiles\E6\~E67CD8F55D2F4F5C50C58861DFC32EB7~.download': 'System error 0x800B0109 (A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.)'"

Regards,

TBL

Share this post


Link to post
Posted (edited)

Same error too. Everything else is working fine.

The problem appeared with KES 11.0.1.90 :

image.thumb.png.c368e78ac147ea4b8678adffb96e2ce6.png

The only way i found to get the package is :

1. Manually download failing packages : https://aes.s.kaspersky-labs.com/endpoints/keswin11/11.0.1.90/english-2778499/bb0e36ac/keswin_11.0.1.90_en_aes256.exe
2. Launch and choose extract path
3. In KSC, "remote installation" create a new package for Kasperky application and point to the extracted path.

I can't guide you more because i have french version installed.

 

image.thumb.png.d53f34e79d9ca5c99880b02fd1fad028.png
 

 

 

 

 

 

image.png

Edited by erickeke
trying to delete wrong capture

Share this post


Link to post

I can't send any GSI : too big. Can't open a case as i'm not the main interlocutor of my organization and can't use the company account.

I think it's something with my windows certificate :

I get :

System error 0x800B0109 (A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.)

Tried to add root certificates but didn't help.

I use Windows Server 2012, did the windows update rebooted multiple times.

 

I think my Windows is lacking some CA, i have only 39 CA :

 

image.thumb.png.a1aac7bff0bc70e39feef3e6522db0d9.png

 

Share this post


Link to post

Ok i found the origin of the problem i think.

The KES 11 files are signed with a CA that is not known by Windows. I reproduced it also on Windows 10.

 

image.thumb.png.b5c5b3662372bb9fd19f5c9bd77a30cb.png

 

You need to install the root certificate on your machine before you can download KES packages from KSC :
1) Download : the failing kes package (eventvwr.msc > Kaspersky logs) to find the url (ex : https://aes.s.kaspersky-labs.com/endpoints/keswin11/11.0.1.90/english-2778499/bb0e36ac/keswin_11.0.1.90_en_aes256.exe )
2) You need to click on "View Certificate"
3) Then install certificate, choose local computer and select "Trusted Root Certification Authorities" as target

Once i did that i successfully imported the packages from KSC.

image.thumb.png.9473068173ef0dfcc09107805988ca93.png

 

Share this post


Link to post

I think Kaspersky is using a root CA not deployed through Windows Update :

image.thumb.png.c1fae98cf0a5545c9acf72441a3551af.png

Share this post


Link to post

To be clear you should have this in your certificate store :

image.thumb.png.ad8531b464dc0fb90195abe00883e336.png

 

Share this post


Link to post
1 hour ago, erickeke said:

I think Kaspersky is using a root CA not deployed through Windows Update :

image.thumb.png.c1fae98cf0a5545c9acf72441a3551af.png

Hello.

The distribution is signed with this certificate to ensure compliance with the latest MS requirements, that the ELAM driver and all our modules be signed with the same certificate.

There is an error handling this distribution on the side of KSC, which has several workarounds including one described here, and one where the distribution is dowloaded independently and then deployed by KSC using a wrapper installer package and task.

Thank you.

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.