1 2 Previous Next 11 Replies Latest reply: Jan 10, 2013 4:02 PM by cgrim RSS

    Emerging FSUpdate Problem <resolved>

      Multiple FSUpdate Failures have been reported:


      FSL Script/Templates update in progress...

      New package found (98,346,688 bytes)

      File MD5 hash: F8E97F76E861E4A9CE1BF8EC4AE8DB3C

      Verifying digital signature using CAPICOM.

      Digital signature FAILED. The executable will not be run.


      FSL, SCAP, Language Packages, etc. are failing with:


      "Digital signature FAILED. The executable will not be run."


      McAfee Engineering is investigating the issue, and this thread will be updated when the issue is resolved.


      If you have any questions, please post here.


      Cathy Grim

      McAfee Tier3 Support


      Message was edited by: cgrim on 12/18/12 3:06:55 PM CST
        • 1. Re: Emerging FSUpdate Problem

          As a temporary workaround, it's possible to set the "Digital Security Mode" to "Disabled".  This should allow the updates to Apply.

          • 2. Re: Emerging FSUpdate Problem

            We are still researching a final solution to this issue.


            I will update this thread as a solution becomes available.

            • 3. Re: Emerging FSUpdate Problem

              Hello Cathy,


              could you please elaborate on the function of the "Digital Security Mode"?

              I, as many of McAfee customers, am suffering from that FSUpdate problem. Before I disable a security item, I would prefer to know the consequences of such a move. I have also a service case open for this and asked the same question, but I do not get answers which is quite unsatisfying.


              Looking forward to an answer,



              • 4. Re: Emerging FSUpdate Problem

                Hi Cathy,

                any estimations how long it will take to fix the prob?


                Reffering to the Post of Uli we also have not disabled "Digital Security Mode"!


                We will do that, if :

                - we're aware of the possible consequences <-- therefor we need to know them

                - and if we are in the position to calculate the risk and decide to take it.




                • 5. Re: Emerging FSUpdate Problem

                  All Vulnerability Manager updates delivered through the FSUpdate utility are digitally signed. The digital signature is verified prior to any update package installation.


                  You can configure the Digital Security Mode for the utility as follows:

                  • Automatic - the utility checks the digital signature automatically. If the update fails, for any reason, no update is applied.

                  • Interactive - the user currently logged in receives a prompt to verify the content as safe or not. This setting requires the user to manually accept each download.

                  • Disabled - FSUpdate does not check if the digital signature is valid or not.


                  Another workaround is to login to update.foundstone.com and manually download and apply the package.  Instructions on how to do so can be found in KB58796.  https://kc.mcafee.com/corporate/index?page=content&id=KB58796


                  We also publish a list of released checks at http://www.mcafee.com/us/content-release-notes/foundstone/index.aspx by date.  In the meantime another option would be to evaluate the released checks for risk in your environment and choose to apply the package or not based on the risk. 

                  • 6. Re: Emerging FSUpdate Problem

                    We've been able to pinpoint the problem down to the certificate that we sign the MVM update packages with not existing on the Windows 2003 Servers.

                    The Microsoft Patch (KB931125) that distributes the Root CA's has been approved on the MVM WSUS Server (sus-update.foundstone.com):


                    See patch details here:



                    You can force an update by typing the following on the command line:


                    > wuauclt /detectnow


                    If you're running Windows 2003, and not pointing to the McAfee WSUS Server you should be able to get the update from here:




                    Here are some details about the patch:


                    Windows Server 2003, Windows Server 2008, Windows Server 2008 R2

                    The automatic root update mechanism is enabled on Windows Server 2008 and later, but not on Windows Server 2003. Windows Server 2003 supports the automatic root update mechanism only partially, equivalent to the support on Windows XP. And since the root update package is intended for Windows XP client SKUs only, it is not intended for Windows Server SKUs. However, the root update package may be downloaded and installed on Windows Server SKUs, subject to the following restrictions.

                    If you install the root update package on Windows Server SKUs, you may exceed the limit for how many root certificates that Schannel can handle when reporting the list of roots to clients in a TLS or SSL handshake, as the number of root certificates distributed in the root update package exceeds that limit. When you update root certificates, the list of trusted CAs increases significantly in size and may cause the list to grow too long. The list is then truncated and may cause problems with authorization. This behavior may also cause Schannel event ID 36885. In Windows Server 2003, the issuer list cannot be greater than 0x3000. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base: 933430
                    Clients cannot make connections if you require client certificates on a Web site or if you use IAS in Windows Server 2003.

                    NOTE: These limitations only apply if you have SSL client authentication enabled on Windows Server.


                    After applying the patch to get the additional CA's you can discontinue using the temporary workaround.


                    I hope that helps!


                    on 12/18/12 6:30:17 PM CST
                    • 7. Re: Emerging FSUpdate Problem

                      Thank you for solving this issue.


                      Just adding some information:

                      As the patch KB931125 is a rolling patch, it is not listed in Add/Remove Programs.

                      And if downloaded and installed manually you get no indication if it has been installed successfully.

                      To check if it is installed, you have to look in the registry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A}.

                      The reported version VERSION='37,0,2195,0' is the current December update of this patch (and with this version, the updates succeed (tested with the latest FSL Content Update 12/18)).

                      With the previous version (reported as VERSION='36,0,2195,0') the update does not succeed.




                      • 8. Re: Emerging FSUpdate Problem



                        i have a MVM3100 Appliancewith Win2008 R2 Standard SP (installed with the shipped installation cd)

                        Software Version 7.5.1. Appliance can connect to sus-update.foundstone.com.

                        But if i execute the command wuauclt /DetectNow nothing happens, and ic ant see the mentioned Registry-key in the registry.

                        I thought the appliance itself automatically checks for updates and installs them itself.


                        Whats wrong?


                        kind regards


                        • 9. Re: Emerging FSUpdate Problem

                          From Cathy's description of the problem it seems that this only affected Appliances running the Windows 2003 image. If you are having issues with connecting to sus-update.foundstone.com you may want to troubleshoot that as a general network issue on your end and if you are not successful contact McAfee Technical Support for further assistance

                          cgrim wrote:


                          We've been able to pinpoint the problem down to the certificate that we sign the MVM update packages with not existing on the Windows 2003 Servers.

                          1 2 Previous Next