Author Topic: This implementation is not part of the Windows Platform FIPS validated cryptogra  (Read 4484 times)

0 Members and 1 Guest are viewing this topic.

Offline Spectrum Computer Solutions

  • Spectrum Computer Solutions
  • Newbie
  • *
  • Posts: 13
  • Spectrum Computer Solutions
    • Spectrum Computer Solutions
Hi all,

Today I noticed a problem with a customer's SOA setup. Avast Clients hadn't updated since October 10th and that coincided with the expiration of the password of the account the "avast! Administration Console" service was running as (not sure why it wasn't running as Network Service). Simple I thought, update the password the service runs as via services.msc and restart the service. Whilst that did allow me to now log into SOA no clients would "check in" (ie none of them are green)



Clients do now *appear* to be getting signature updates though.

I thought perhaps a uninstall / clean reinstall of SOA would help - no joy.

Whilst reviewing logs in C:\ProgramData\AVAST Software\Administration Console\Logs I found the following (multiple times) in my Avast.Sbc.Service_*.log files...

11-04 20:32:07,702 [SchedulerWorker3] ERROR Scheduler - Error during client side job execution.
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
   at System.Security.Cryptography.MD5CryptoServiceProvider..ctor()
   --- End of inner exception stack trace ---
   at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
   at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at System.Security.Cryptography.CryptoConfig.CreateFromName(String name, Object[] args)
   at System.Security.Cryptography.MD5.Create(String algName)
   at Avast.Sbc.Service.Core.MessageQueueManager.ForNode(Guid nodeId)
   at Avast.Sbc.Service.Core.DisconnectedEngineLocator.FindEngineForNode(Node node)
   at System.Linq.Enumerable.WhereSelectListIterator`2.MoveNext()
   at System.Collections.Generic.List`1..ctor(IEnumerable`1 collection)
   at System.Linq.Enumerable.ToList[TSource](IEnumerable`1 source)
   at Avast.Sbc.Service.Core.DisconnectedEngineLocator.FindEnginesForNodes(IEnumerable`1 nodes)
   at Avast.Sbc.Scheduler.Core.Helper.ClientExecutableJobFactory.CreateExecutableJob(IEngineLocator engineLocator, IEnumerable`1 targetNodes, Job job)
   at Avast.Sbc.Scheduler.Core.Scheduler.RunClientSideJob(Job job, ScheduleItem triggerItem)

It then dawned on me that I needed to enable "Use FIPS compliant algorithms for encryption, hashing an signing" policy to pass a Pen Test we had earlier in the year.



I wouldn't mind betting this is the first time the service had been restart since the pen test and as a result has been ignoring (unaware) of the "Use FIPS compliant algorithms for encryption, hashing an signing" policy until now.

So now I'm stuck, I can't really disable the "Use FIPS compliant algorithms for encryption, hashing an signing" policy, but I think if I leave it enabled SOA won't work correctly?

Any suggestions gratefully received!

Regards

Steve
Specialists in computer support for small to medium sized enterprises. From desktop support to network installations, we can provide the services you require.

Offline Spectrum Computer Solutions

  • Spectrum Computer Solutions
  • Newbie
  • *
  • Posts: 13
  • Spectrum Computer Solutions
    • Spectrum Computer Solutions
Out of hours last night I disabled the "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" policy ,performed a GPUPDATE, checked the policy change has taken effect by using RSOP.MSC and monitored my Avast.Sbc.Service_*.log files for half an hour. I didn't see any reduction in the logging of the following exception...

System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
   at System.Security.Cryptography.MD5CryptoServiceProvider..ctor()

I then restarted the avast! Administration Console, avast! Administration Console Monitor & avast! Administration Console Website Host services and monitored my Avast.Sbc.Service_*.log files again. I saw no more exceptions and Avast Clients have started going Green in the SOA console. This confirms to me that problem is caused by the "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" policy and that Avast SOA is using the MD5 algorithm in SOA sign communication traffic.



Unfortunately this isn't really a solution for us as we need to have the "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" policy enabled to please the regular Pen Test we are subjected to.

I think we might have to look at alternative anti viral solutions.

Regards

Steve
Specialists in computer support for small to medium sized enterprises. From desktop support to network installations, we can provide the services you require.

Offline Avosec-UK

  • Avosec Technical Support
  • Avast Reseller
  • Sr. Member
  • *
  • Posts: 296
    • Avosec
You may switch to avast! Enterprise Administration.
It is a native application and it may not be affected by the policy.


Offline Spectrum Computer Solutions

  • Spectrum Computer Solutions
  • Newbie
  • *
  • Posts: 13
  • Spectrum Computer Solutions
    • Spectrum Computer Solutions
Hi Avosec-UK

You're our distributor for Avast  :) Can you send Dave Hodkinson details and any costs regarding migrating a 18 user Endpoint Protection Suite to the avast! Enterprise Administration you recommended?

Regards

Steve
Specialists in computer support for small to medium sized enterprises. From desktop support to network installations, we can provide the services you require.

Offline Spectrum Computer Solutions

  • Spectrum Computer Solutions
  • Newbie
  • *
  • Posts: 13
  • Spectrum Computer Solutions
    • Spectrum Computer Solutions
Thanks Avosec-UK for passing along the requested information. There doesn't appear to be anything to private there so I thought I would share it with the rest of the Avast Forum community...

Avosec-UK said...

Quote
There is no cost for the migration of avast! Small Office Administration to avast! Enterprise Administration.

Just make sure to have the ASOA license ready to be loaded during the installation.

I have attached a Quick Guide on how to Migrate from ASOA to AEA.

If you have any problems, please let us know and we will be happy to assist.

Attached PDF can be found at http://www.spectrumcs.net/wp-content/uploads/2015/11/Migrating-from-ASOA-to-AEA.pdf

I'll try this procedure when I get a moment over the next few days and report back how I get on.

Regards

Steve
Specialists in computer support for small to medium sized enterprises. From desktop support to network installations, we can provide the services you require.