Endpoint Protection

  • Private Community
 View Only
Back to discussions
Expand all | Collapse all

Flooding with "Crypt32" error in clients

  • 1.  Flooding with "Crypt32" error in clients

    Posted Dec 19, 2010 02:59 AM

     

    Hi All

    Most of my clients machines are flooded with  Crypt32 (event ID 8) errors after the upgrade from Symantec Enpoint Protection 11 RU6 MP1.

    I saw some remarks in older discussions but they refer to a network that is connected to the internet.

    My network is NOT CONNECTED to the web and we don't use proxy services.

     ? Any ideas how to solve it 

    Thanks and regards.

    Mike



  • 2.  RE: Flooding with "Crypt32" error in clients

    Posted Dec 19, 2010 06:25 AM

    There is currently no solution from Symantec that I'm aware of. This started with RU6.

    Basically, the error means it cannot connect to Miicrosoft site to download the trusted root certificate. With your machines, this is why the error is happening.

    You can try downloading and running the manual update for XP:

    http://www.microsoft.com/downloads/en/details.aspx?FamilyID=f814ec0e-ee7e-435e-99f8-20b44d4531b0&displaylang=en

    If you're running XP, you can stop this error by going to:

    Control Panel >> Add/Remove Programs >> Add/Remove Windows Components >> Scroll down and uncheck Update Root Certificates >> hit Next to uninstall and the errors messages in the Event Log will go away

    Yes, this is is not a true fix but only a workaround and probably not a good one but it is a quick fix in a pinch.

    Otherwise, you can set a GPO to empty the Event Viewer after so long of a time:

    http://technet.microsoft.com/en-us/library/bb457160.aspx

    If you're running a different OS, you should be able to Google it. I've only had the issue with XP since that is what we still run.



  • 3.  RE: Flooding with "Crypt32" error in clients
    Best Answer

    Posted Dec 19, 2010 09:32 AM

    Cause

    This behavior can occur if the Update Root Certificates component is turned on and the computer cannot connect to the Windows Update server on the Internet. The Update Root Certificates component automatically updates trusted root-certificate authorities from the Microsoft Update server at regular intervals. The computer may not be able to connect to the Windows Update Server due to incorrectly configured proxy settings. Symantec Endpoint Protection makes use of the SYSTEM account for the proxy settings which are obtained from a different set of registry keys.

    Solution

    Symantec Endpoint Protection interfaces with Windows Security Center (WSC), it receives notifications and tells WSC the status of AntiVirus/Spyware, Firewall, and PTP. Symantec Endpoint Protection uses a defined set of APIs from Microsoft to interface with WSC that were created for Windows XP and Vista. These APIs originally were labeled as having a limited life span. Upon the release of Windows Vista SP1 and Windows 7, Microsoft moved to a newer set of APIs to interact with WSC and Action Center in Windows 7. As the end-of-life approached for the Windows XP/Vista WSC APIs, Symantec adopted the newer set of APIs in Symantec Endpoint Protection 11.0.5002 (RU5) since the older APIs will no longer be supported by Microsoft.

    When these binaries are initially validated, an internet connection is required to resolve the new certificate or you will see crypt32 event log errors.

    The new APIs are actually intended for Windows Vista SP1 and Windows 7. Microsoft recommends disabling the Root Certificate Update service assuming the computer will never connect to the internet, without this connection the computer will never receive the root certificate updates. Please see http://support.microsoft.com/default.aspx?scid=kb;en-US;2253680 for more details.

    If the computer is connected through a proxy, use the following steps to stop the crypt32 errors:
    1. Allow the computer to connect to the Windows Update Server
    2. Configure the proxy settings correctly for the SYSTEM account
    3. Follow the instructions per Microsoft article: http://support.microsoft.com/kb/317541
    4. On the Symantec Endpoint Protection computer open a command window:
    a. Click Start > Run
    b. Type CMD and press Enter
    c. Type proxycfg -u and press Enter (imports current user settings)
    5. Restart Internet Information Services (if installed and enabled)

     

    Event ID 8 notification about crypt32 seen in Application log after installing Symantec Endpoint Protection 11.0.5 or later client

    http://www.symantec.com/docs/TECH106277
     



  • 4.  RE: Flooding with "Crypt32" error in clients

    Posted Dec 19, 2010 09:56 AM

    Basically, thois problem is not related to Symantec product directly - this message appears when Windows try to check driver's signature (and Symantec drivers are signed) and cannot do it - then Windows try to update root certificates from Microsoft Update and when it can't it gives this error message.

    The solution is to connect to MS Update or upgrade MS root certificates - check here for example: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=f814ec0e-ee7e-435e-99f8-20b44d4531b0&displaylang=en

    Or dsiable checking of drivers' signatures but I would not recommend it due to security.

    @Brian:

    >> There is currently no solution from Symantec that I'm aware of. This started with RU6

    And there should not be as this is not Symantec issue. EVERY application that uses signed drivers will cause the same problem. And the root cause is that Windows cannot update certificates and this is definetely Windows administration-related problem.



  • 5.  RE: Flooding with "Crypt32" error in clients

    Posted Dec 19, 2010 10:04 AM

    The errors started coming after RU5, prior to this  there was'nt an issue



  • 6.  RE: Flooding with "Crypt32" error in clients

    Posted Dec 19, 2010 10:10 AM

    So what changed is my biggest question? As mentioned, it was fine before RU5 so something changed within SEP. I understand the purpose of root certs but only of the workarounds mentioned would apply to me and it doesn't work. I can't uncheck the root cert box to uninstall as that seems like a pretty big security hole.

    I've tried everything mentioned above to get this to stop and still no luck.



  • 7.  RE: Flooding with "Crypt32" error in clients

    Posted Dec 19, 2010 10:49 AM

    Drivers signed or signature changed and cannot be verified without updating Windows root certs I suppose.



  • 8.  RE: Flooding with "Crypt32" error in clients

    Posted Dec 19, 2010 10:50 AM

    Drivers signed or signature changed and cannot be verified without updating Windows root certs I suppose.



  • 9.  RE: Flooding with "Crypt32" error in clients

    Posted Dec 20, 2010 12:22 AM

    A solution exist, uninstall "update root certificates" module in windows



  • 10.  RE: Flooding with "Crypt32" error in clients

    Posted Dec 20, 2010 04:07 AM

    It is just a workaround as it does not resolve the root problem - which is that MS update cannot check for updates for root certificates. So the solutions are:

    1. Check your connection to MS Update (proxy, connectivity, etc.)

    2. Update root certificates manually.



  • 11.  RE: Flooding with "Crypt32" error in clients

    Posted Dec 20, 2010 12:55 PM

    Thats because there was a change made to make our product more MS compliant.