cancel
Showing results for 
Search instead for 
Did you mean: 
Reliable Contributor SWISS
Reliable Contributor
Report Inappropriate Content
Message 1 of 4

SHA1 and SHA2 change W7/2008R2 regarding TIE (AUG 2019 Windows Updates)

https://support.microsoft.com/en-us/help/4472027/2019-sha-2-code-signing-support-requirement-for-win...

Since Symantec seems to be in large trouble with the SHA1/SHA2 change i would like to ask McAfee if there is anything to take care off related to McAfee TIE Server? I am Aware of the McAfee EPO Server Certificate SHA1/SHA2 Agent Migration story and we are working on that.

Is there anything else we have to watch out regarding SHA1/2 (SHA256) if we have customer with W7 Clients?

 

 

 

 

 

 

 

3 Replies
Highlighted
Reliable Contributor Nielsb
Reliable Contributor
Report Inappropriate Content
Message 2 of 4

Re: SHA1 and SHA2 change W7/2008R2 regarding TIE (AUG 2019 Windows Updates)

The McAfee products dual signed with the SHA-1 and SHA-256 certificates: 

https://kc.mcafee.com/corporate/index?page=content&id=KB88228

and the minimum version of TIE is: 1.0.2

Reliable Contributor SWISS
Reliable Contributor
Report Inappropriate Content
Message 3 of 4

Re: SHA1 and SHA2 change W7/2008R2 regarding TIE (AUG 2019 Windows Updates)

Hello,

I see the list, thank you. Can we clarify for all so all understand. For code signing now and the Change SHA1/2 and DUAL signing (1+2).

With Windows 7 and Server 2008R2. As example what will happen if a customer:

* HAS EPO 5.3 Installed (And on the list is 5.9 min.)

* Would Install EPO 5.3 Fresh (For whatever [Recovery] reason he may choose the old).

Just regular Domain Client with the two mentioned Windows Updates (KB4474419 and KB4490628).

What will happen AFTER you Install a product mentioned on your list and all patches up to 08/2019.

Will the WIn7 or 2008R2 still execute the BInary JUST UNISGNED (Without any GPO active that would block unsigned exe). Through that you will notice a slight delay? 

Thanks

 

July 16, 2019Windows 10 updates signatures changed from dual signed (SHA-1/SHA-2) to SHA-2 only. No customer action required.Windows 10 1507,
Windows 10 1607,
Windows 10 1703
August 13, 2019

Required: Updates for legacy Windows versions will require that SHA-2 code signing support be installed. The support released in March (KB4474419 and KB4490628) will be required in order to continue to receive updates on these versions of Windows.

Legacy Windows updates signatures changed from dual signed (SHA-1/SHA-2) to SHA-2 only at this time.

Windows 7 SP1,
Windows Server 2008 R2 SP1
September 10, 2019Legacy Windows updates signatures  changed from dual signed (SHA-1/SHA-2) to SHA-2 only. No customer action required.Windows Server 2012,
Windows 8.1,
Windows Server 2012 R2
Reliable Contributor SWISS
Reliable Contributor
Report Inappropriate Content
Message 4 of 4

Re: SHA1 and SHA2 change W7/2008R2 regarding TIE (AUG 2019 Windows Updates)

This is a hugher Problem then we thought. We wanted to UPADTE the DXL BROKER Server on the TIE and run into a Problem. Glad we hat EPO Snapshots and VMWARE Snapshots.

 

1) You have to finish the SHA1 to SHA2 migration on the EPO with all CLIENT and Server

2) You have to replace the SHA1 on the TIE Server. This includes REMOVING all Extension for TIE in productive enviroment and re-installing them. Inclusive Export and import of all settings.

3) You have to also replace Things on the ATD-Sandbox

There are several KB and Whitepaper if you search for them.

 

Regards

Mike

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community