VOX

In Enterprise Vault 8 Symantec has followed Microsoft's recommendation to only use signed executable and DLLs to allow authenticity checks that are more reliable than Heuristic based malware detection.

On some customers builds this could lead to to error messages and the inability to start the Discovery Accelerator Manager Service.

This documents outlines the Problem and suggests different resolution options.

Error Message:

Could not start the Enterprise Vault Accelerator Manager Service service on Local Computer.
Error 1053: The service did not respond to the start or control request in a timely fashion.

Problem Summary:

Enterprise Vault (EV) Discovery Accelerator (DA) files are digitally signed.  This causes the Enterprise Vault Accelerator Manager Service (EVAMS) start to take longer to complete as there is an automatic check to Verisign to confirm the publisher certificate has not been revoked.

Cause:

 This problem occurs because the affected computer cannot reach the following Microsoft Web site: 
http://crl.microsoft.com/pki/crl/products/CSPCA.crl

This problem occurs because of the following behavior: 

When the Microsoft .NET Framework loads the Symantec DA assembly, the managed assembly calls the CryptoAPI function to verify the Authenticode signature on the assembly files to generate publisher evidence for the managed assembly.

The CryptoAPI function checks a Certificate Revocation List (CRL) that is available at http://crl.microsoft.com. This action requires an Internet connection. 

If the Internet connection is blocked, the outgoing HTTP requests may be dropped. Therefore, an error message is not returned. This problem may also occur if the computer cannot resolve http://crl.microsoft.com. 

This long delay causes the CRL check to time out. The Service Control Manager (SCM) determines that the service is taking too long to start and that the service has exceeded the maximum service start time. Therefore, the SCM reports the error message, and the Discovery Accelerator services are not started.

Resolution Options

To resolve this problem, you have the following options:

• Provide an Internet Connection to access the URL http://crl.microsoft.com.
• Disable Certificate Revokation in Internet Explorer
  
  On the DA server, open Internet Explorer and make the following change:

1. Click on the Tools drop down menu
2. Select Internet Options
3. Click on the Advanced tab
4. Uncheck the option Check for Publisher's certificate revocation
5. Click OK

The EVAMS service should now start correctly.

• The DA server does not have to have a connection to the Internet, but the delay is caused by the fact that it sends packets into a black hole. The CRL check is timing out because it never receives a response. 

If a router were to send a “no route to host” ICMP packet or similar error instead of just dropping the packets, the CRL check would fail right away, and the service would start. You can add an entry to crl.microsoft.com in the hosts file or on the DNS server and send the packets to a legitimate location on the network, such as 127.0.0.1, which will reject the connection. 

To do this, use a text editor to open the Windows\system32\drivers\etc\host file, and then add the following entry:
crl.microsoft.com 127.0.0.1

• Create configuration files for the Discovery Accelerator service:

(Important! You should save a copy of the existing configuration files to a safe location. If there is an error in a configuration file, the applicable service cannot start.)

You must create configuration files for the Enterprise Vault Accelerator Manager service.

How to create a new configuration file:

Open the  EnterpriseVaultAcceleratorManager.exe.config in a text editor.

Add the following code to the file.

<configuration>
  <runtime>
           <generatePublisherEvidence enabled="false" />
  </runtime>
</configuration>

Save the changes to the file.

I am not sure if the last option is supported, I am waiting confirmation on this.