cancel
Showing results for 
Search instead for 
Did you mean: 

Re: Epo 5.9 PIA, RSA compatibility failed

With the newer version of the PIA tool i am now getting the following error;

"Cipher suite order is not correct. Use group policy editor to change it.

Refer McAfee KB87731 for more information."

What order are you guys using for the SSL Ciper Suite? (RUN -> gpedit,msc -> Computer Configuration/Administrative Templates/Network/SSL Configuration Settings). The default order is definitely not working for us. (running SQL express by the way)

Highlighted
davei
Level 9
Report Inappropriate Content
Message 22 of 24

Re: Epo 5.9 PIA, RSA compatibility failed

Our issue is now resolved and upgrade completed.  Frustratingly, it did in fact turn out to be the (lack of) presence of MS KB3042058 as stated in McAfee KB87731, and then adjusting the cipher order.

The new version of PIA was irrelevant to my particular issue.

So I tried to manually install MS KB3042058 and was told "This update is not applicable to this system".  A WSUS report on the update also showed it 'not applicable' to the SQL server so it wasn't offered by Windows Update (WSUS) but other updates were.  SQL server is busy so downtime to install was not readily available.  After arranging, I installed the queued WSUS updates, after which more were offered, and then eventually the single update MS KB3042058.

Once installed, the PIA error changed to the above warning about cipher order.

McAfee support had us use IISCrypto to adjust the cipher orders, although a GPO would be more scalable!  In our case we use a script on our IIS\Web servers which does the same - disables SSL2/3, enables TLS1.2, adjusts ciphers etc.  as an internal best practice.  Once I ran that and restarted, the PIA test passed and the upgrade completed successfully.

For info our script is based on: https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12

Reliable Contributor brentil
Reliable Contributor
Report Inappropriate Content
Message 23 of 24

Re: Epo 5.9 PIA, RSA compatibility failed

As davei mentioned I was going to recommend IISCrypto myself to use if this is just a couple of systems.  It's a GUI for editing the SCHHANEL configuration of your machine.  I'd run it on both the ePO & MS-SQL server and use the Best Practices mode.  The GUI will show you the changes you're about to make and will not actually make the changes until you hit Apply.  You can backup the registry keys beforehand or just use IISCrypto to revert to default.

Nartac Software - Download

The problem with using GPO to set the Cypher Suites is that the actual GPO setting that controls those has a limit of 1023 characters and the Cypher Suite list is wayyyyyyyyy longer than 1023 characters.  So you have to either use a script deployment through GPO or manipulate registry values in GPO versus using the GPO setting specifically for Cypher Suites.  You can configure everything else though via GPO settings without an issue.

Also honestly if you configure all your machines to have specific Cypher Suite order KB3042058 is pointless.  What it does is alter the default order in the SCHANNEL DLLs on the system which only come in to play if you haven't defined the order via the registry/GPO.

Re: Epo 5.9 PIA, RSA compatibility failed

I got the same results when I ran the pre installer auditor 2.1. I tried to install KB3042058 and it would say this update isn't applicable to your system. So I had to call Mcrosoft and these were the steps that they provided to get the KB3042058  to install.

Verified in below link what version of the C;\windows\system32\drivers\CNG.sys file is currently available in Server.  You can right click and goto details of the file to see the version.

https://support.microsoft.com/en-in/help/3042058/microsoft-security-advisory-update-to-default-ciphe...

KB3042058 pushes Cng.sys - 6.1.7601.22946  , Server had more latest driver file already available, 6.1.7601.23600

Please follow the following approach :-

• Need to first remove KB3205394 & KB4034679

• Install KB3177467 (If you have KB3020369 already installed then KB3177467 is not required)

• Install KB3042058  - Prereq. (KB3020369 Superseded by KB3177467)

• Install KB3205394

• Install KB4034679

*****

After you have KB3042058  installed then you can use IISCrypto program Nartac Software - IIS Crypto program to resort the cipher suite order or use GPO to re-order it. It checked out fine after I did this.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator