Windows Explored

The following error was being reported while internal users were trying to install the latest Flash Player from Adobe: “Internal error… ABORT: Certificate authentication failed, please re-install to correct the problem. (/0)”

I was able to reproduce on my workstation so I turned to Process Monitor to see what I could find. I did not filter for any particular process since any number of them could be involved. There were 66,000+ operations so I would need to filter the results. Interested in the less common results, I went to Tools > Count Occurrences, set the filter for Results and saw an interesting NTSTATUS code:

Looking at the operation, I see a QueryEAFile, a query of the file extension attributes for the downloaded Flash Player installer:

0xC0000052 = The file or directory is corrupt and non-readable. But why was the file corrupt in every case? The little light bulb in my head went off and I recalled the Case of the Zip File That Wouldn’t Open. To confirm, I downloaded the installer again and saw the reported size of the file download in Internet Explorer:

However, the actual size of the download on the disk:

Looking at all the write operations for this file, we see the file is not being downloaded in its entirety, this should be reported at about 749,000 bytes and only 735,000 bytes gets through:

The cause: we use a popular cloud-based web security company to filter web traffic. When files are downloaded from the Internet, it looks for specific properties and if the downloaded content matches what ever rules are being applied, then it corrupts the download. Previously, we were only seeing this with zip files downloaded via the Internet that contained multiple binary files but not individual exe’s. In this case, it may be unintended but the web security company should be made aware. In the meantime, we can work around this by changing the IE proxy to an ISA that does not have web traffic filtered. Alternatively, we have also been able to download the complete flash 10.3 in exe or msi format from here:
http://www.adobe.com/products/flashplayer/fp_distribution3.html

Update

Adobe has acknowledged that this is an issue with various security software, including anti-virus products running on personal computers, not just corporate users sitting behind various layers of network security services. Here is a link from the Adobe site: http://kb2.adobe.com/cps/191/tn_19166.html#main_KnownIssues.

As pointed in the comment below, if you are using IE 9, upon completing the download, you may be informed of the potential harmful nature of this program:

This is because the digital signature is missing since the file was only partially downloaded. This is also not just limited to the Flash Player web installer download but also the Adobe Reader web installer; I would suspect that other Adobe web installers might also get flagged as malicious and succumb to the same problem.

Since encountering, I have not able to recreate the original ntstatus code I saw above, although the file properties remain the same. Instead I see an access denied result when the web installer attempts to query Winsock2, which is part of the Microsoft Firewall Client for ISA.