Elastic Endpoint Crashes and digital signature error

Global_Helpdesk · January 24, 2023, 8:10pm

Hello,

I am seeing a problem with the Elastic Endpoint service on a couple of windows servers. When trying to start the service we get the error:

The Elastic Endpoint service failed to start due to the following error: 
Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

There is no corruption on the server and the file is 100% valid. This started happening after a reboot. The Elastic Agent runs fine. When I try to run the process manually I get the following crash details:

Faulting application name: elastic-endpoint.exe, version: 8.4.2.0, time stamp: 0x63212a86
Faulting module name: ntdll.dll, version: 10.0.17763.3887, time stamp: 0x494079d6
Exception code: 0xc0000005
Fault offset: 0x0000000000015fff
Faulting process id: 0x944
Faulting application start time: 0x01d9302b6b7af2ba
Faulting application path: C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 41e35abc-1d67-4473-9189-2a62864737e4
Faulting package full name: 
Faulting package-relative application ID:

There are no crash dumps in C:\Program Files\Elastic\Endpoint\cache\CrashDumps

Is this a known issue?

NickFritts · January 25, 2023, 5:38am

Howdy @Global_Helpdesk

What version of Windows Server are you seeing this on? Is it up to date with Windows updates?

You should be able to run elastic-endpoint.exe version as a slightly easier way to test if the binary is able to run.

If it is not, could you please check the event logs on those servers under:
Applications and Services Logs > Microsoft > Windows > CodeIntegrity > Operational
You can use the version command above to attempt to generate repeat error messages.

One of the more common reasons that you would see that error is if you have another security product that is attempting to load a dll within the elastic-endpoint service. Please ensure that you've added the endpoint process to exception lists for that kind of dll injection or API hooking in other security products.

NickFritts · January 25, 2023, 2:32pm

@Global_Helpdesk I remembered an additional issue that did affect 8.4.2: [BUG] 8.4 and 7.17.5/7.17.6 Windows Endpoints may wind up in a non-running state · Issue #29 · elastic/endpoint (github.com)

The issue was fixed in 8.4.3. What you describe with the issue happening following a reboot makes me suspect this is the cause.

system · February 22, 2023, 2:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Endpoint Security not starting. "Windows can not verify the digital signature" Endpoint Security elastic-stack-security	2	269	April 5, 2024
Elastic Endpoint 8.3.3 on Windows Server 2019 constantly restarting service Endpoint Security	3	748	September 23, 2022
Elastic Agent on Older Windows Disable Driver Signature Enforcement Beats elastic-agent	3	546	September 17, 2020
Unable to run endpoint-security through Elastic Agent SIEM elastic-agent	12	1726	September 4, 2020
Elastic Endpoint Security crashes and memory errors Endpoint Security	7	840	September 16, 2021

Elastic Endpoint Crashes and digital signature error

Related topics