Audit Data is not getting collected from some servers. The agents on the servers are running.
Reviewing the CAADService.dll.nptlog from the server, errors similar to the following my be seen:
"Load driver failed: Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source"
Reviewing the CAADMain.dll.nptlog file from the server, errors similar to the following may seen:
According to Microsoft: “Effective January 1, 2016, Windows (version 7 and higher) and Windows Server will no longer trust new code that is signed with a SHA-1 code signing certificate for Mark-of-the-Web related scenarios (e.g. files containing a digital signature) and that has been time-stamped with a value greater than January 1, 2016.”
A security advisory “Deprecation of SHA-1 hashing algorithm for Microsoft root certificate program” has been released on January, 12, 2016 informing that all future security and non-security updates for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 require update 2919355 to be installed. More details in: https://support.microsoft.com/en-us/kb/3123479;
To comply with this change, the following signing methods were implemented in Change Auditor:
Executable files (.exe or .dll) - These are dual-signed using SHA1 and SHA-2 (SHA256). This allows older operating that do not recognize SHA256 to validate the file as a Quest product.
MSI files (.msi) - These files are signed with a SHA-2 code signing certificate while maintaining a SHA-1 file hash.
Agent drivers - These will continue to be signed SHA-1 as drivers were not included in the scope of Microsoft's change.
All other file types will fall into one of these three scenarios.
For older operating systems, windows updates are required to support SHA-2 certificates and signatures. These updates are marked with "Important" priority and should already exist on the majority of servers:
Operating System Microsoft KB Released
Windows 2003/R2 (Vista) KB968730 3/19/2009
Windows 2008 KB2763674 1/8/2013
Windows 2008 R2 (Windows 7) KB3033929 3/10/2015
If you are using an older server, ensure you have the appropriate updates applied (as mentioned above) to ensure the OS can validate SHA-2 Certificates and Signatures on files.