Unpatched Windows system causes XT kit tamper detection

Introduction:

When running one of FNE XT Kits on an older unpatched version of Windows we have seen several incidents where our tamper detection mechanism is triggered, resulting in the inability to run the software.

For example, running the capability request example from the 2022.02 release of 64bt C XT kit on a Windows 7 64bit machine that is currently not connected to the network results in the following error:

C:\Users\testuser\Documents\flexnet_client-xt-c-x64_windows-2022.02.0\build\capabilityrequest\x64\Debug>capabilityrequest.exe -server http://192.168.0.149:7070/fne/bin/capability

ERROR: creating licensing object: Internal error:

  1201:516, MID=0, SID=0, EID=6,

  Tamper detected: IHRfX1RJcEFSM3ZiV0VsRVNWcENlUmVzNWxEQVAySSAgZmFsc2UgeyBbInZpc

3VhbF9zdHVkaW8iXSA9IHRydWUsWyJ0X19vQTFTWWhQdjE1MDN5Z0FNb0FFd3JjVEozRSJdID0gdHJ1Z

SxbInRfX1JtenBFWVlUZ3pDMjNMdElMTHEzeHZ1QSJdID0geEhhQXRJemtWbTBZcTRCRUdJZ2hqb1NRR

UksfSA=

Cause:

The issue appears to be a false positive and is due to the operating system not having a required root certificate in order to confirm the signature used on FlxCore.dll/FlxCore64.dll.

How to confirm:

Microsoft provides a tool called ‘signtool’(https://docs.microsoft.com/en-us/windows/win32/seccrypto/signtool) which allows you to check the reason why the signature cannot be verified:

C:\Users\testuser\Documents\flexnet_client-xt-c-x64_windows-2022.02.0\build\capabilityrequest\x64\Debug>signtool verify /pa FlxCore64.dll

File: FlxCore64.dll

Index  Algorithm  Timestamp

========================================

SignTool Error: A certificate chain processed, but terminated in a root

        certificate which is not trusted by the trust provider.

Number of errors: 1

Possible solutions to this issue

Generally, when the operating system is connected to the internet and is auto-updating the certificate chain will be updated and this should not be a problem. In cases where the OS is in an ‘offline’ situation, it may be that there have not been any updates and therefore the situation will not resolve without some manual intervention.

The following link provides details on how to update an OS in an offline environment:

http://woshub.com/updating-trusted-root-certificates-in-windows-10/#h2_6

In the case of Windows 7, you would follow these steps:

To update root certificates in Windows 7, you must first download and install MSU update KB2813430 (https://support.microsoft.com/en-us/topic/an-update-is-available-that-enables-administrators-to-update-trusted-and-disallowed-ctls-in-disconnected-environments-in-windows-0c51c702-fdcc-f6be-7089-4585fad729d6)

After that, you can use the certutil to generate an SST file with root certificates (on current or another computer):

certutil.exe -generateSSTFromWU c:\ps\roots.sst

Now you can import certificates into trusted ones:

Run MMC -> add snap-in -> certificates -> computer account > local computer. Right click Trusted root certification authority, All Tasks -> Import, find your SST file (in the file type select Microsoft Serialized Certificate Store — *.sst) -> Open -> Place all certificates in the following store -> Trusted Root Certification Authorities.