This implementation is not part of the Windows Platform FIPS validated cryptogra

[REDACTED]

Hi all,

Today I noticed a problem with a customer's SOA setup. Avast Clients hadn't updated since October 10th and that coincided with the expiration of the password of the account the "avast! Administration Console" service was running as (not sure why it wasn't running as Network Service). Simple I thought, update the password the service runs as via services.msc and restart the service. Whilst that did allow me to now log into SOA no clients would "check in" (ie none of them are green)



Clients do now *appear* to be getting signature updates though.

I thought perhaps a uninstall / clean reinstall of SOA would help - no joy.

Whilst reviewing logs in C:\ProgramData\AVAST Software\Administration Console\Logs I found the following (multiple times) in my Avast.Sbc.Service_*.log files...

11-04 20:32:07,702 [SchedulerWorker3] ERROR Scheduler - Error during client side job execution.
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
   at System.Security.Cryptography.MD5CryptoServiceProvider..ctor()
   --- End of inner exception stack trace ---
   at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
   at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at System.Security.Cryptography.CryptoConfig.CreateFromName(String name, Object[] args)
   at System.Security.Cryptography.MD5.Create(String algName)
   at Avast.Sbc.Service.Core.MessageQueueManager.ForNode(Guid nodeId)
   at Avast.Sbc.Service.Core.DisconnectedEngineLocator.FindEngineForNode(Node node)
   at System.Linq.Enumerable.WhereSelectListIterator`2.MoveNext()
   at System.Collections.Generic.List`1..ctor(IEnumerable`1 collection)
   at System.Linq.Enumerable.ToList[TSource](IEnumerable`1 source)
   at Avast.Sbc.Service.Core.DisconnectedEngineLocator.FindEnginesForNodes(IEnumerable`1 nodes)
   at Avast.Sbc.Scheduler.Core.Helper.ClientExecutableJobFactory.CreateExecutableJob(IEngineLocator engineLocator, IEnumerable`1 targetNodes, Job job)
   at Avast.Sbc.Scheduler.Core.Scheduler.RunClientSideJob(Job job, ScheduleItem triggerItem)

It then dawned on me that I needed to enable "Use FIPS compliant algorithms for encryption, hashing an signing" policy to pass a Pen Test we had earlier in the year.



I wouldn't mind betting this is the first time the service had been restart since the pen test and as a result has been ignoring (unaware) of the "Use FIPS compliant algorithms for encryption, hashing an signing" policy until now.

So now I'm stuck, I can't really disable the "Use FIPS compliant algorithms for encryption, hashing an signing" policy, but I think if I leave it enabled SOA won't work correctly?

Any suggestions gratefully received!

Regards

Steve

[REDACTED]

Out of hours last night I disabled the "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" policy ,performed a GPUPDATE, checked the policy change has taken effect by using RSOP.MSC and monitored my Avast.Sbc.Service_*.log files for half an hour. I didn't see any reduction in the logging of the following exception...

System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
   at System.Security.Cryptography.MD5CryptoServiceProvider..ctor()

I then restarted the avast! Administration Console, avast! Administration Console Monitor & avast! Administration Console Website Host services and monitored my Avast.Sbc.Service_*.log files again. I saw no more exceptions and Avast Clients have started going Green in the SOA console. This confirms to me that problem is caused by the "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" policy and that Avast SOA is using the MD5 algorithm in SOA sign communication traffic.



Unfortunately this isn't really a solution for us as we need to have the "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" policy enabled to please the regular Pen Test we are subjected to.

I think we might have to look at alternative anti viral solutions.

Regards

Steve

[Avosec-UK]

You may switch to avast! Enterprise Administration.
It is a native application and it may not be affected by the policy.

[REDACTED]

Hi Avosec-UK

You're our distributor for Avast  Can you send Dave Hodkinson details and any costs regarding migrating a 18 user Endpoint Protection Suite to the avast! Enterprise Administration you recommended?

Regards

Steve

[REDACTED]

Thanks Avosec-UK for passing along the requested information. There doesn't appear to be anything to private there so I thought I would share it with the rest of the Avast Forum community...

Avosec-UK said...

There is no cost for the migration of avast! Small Office Administration to avast! Enterprise Administration.

Just make sure to have the ASOA license ready to be loaded during the installation.

I have attached a Quick Guide on how to Migrate from ASOA to AEA.

If you have any problems, please let us know and we will be happy to assist.

Attached PDF can be found at http://www.spectrumcs.net/wp-content/uploads/2015/11/Migrating-from-ASOA-to-AEA.pdf

I'll try this procedure when I get a moment over the next few days and report back how I get on.

Regards

Steve