Symptoms

Agent installation or update on Windows Server 2008 / R2, Windows 7, Vista fails with the following error:

Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source

Cause

The issue is caused by SHA-2 digital signatures missing on older Windows systems.

Over the last months, stricter driver signing algorithm enforcement started happening on the Windows side, and Microsoft started using the modern and stronger SHA2/SHA256 cryptographic algorithm for signing code such as drivers and user-space executables. This is all part of the industry-wide initiative to phase out the use of SHA1, which has been deemed no longer sufficiently secure for a few years.

Acronis Agents, starting from C21.02 (Build 26570) have switched to using SHA2/SHA256-bit crypto signatures for the various kernel driver components which the Agent needs to operate.

More information can be found at 2019 SHA-2 Code Signing Support requirement for Windows and WSUS

Solution

The special update supporting SHA-2 code signing should be installed for older Windows platforms before trying to install Acronis Agent:

• Windows 7 SP1 / Server 2008 / Server 2008 R2 need to install the following security updates (or apply all available updates in Windows Update):
  • SHA-2 code signing support update for Windows Server 2008 R2, Windows 7, and Windows Server 2008: September 23, 2019
  • Servicing stack update for Windows 7 SP1 and Windows Server 2008 R2 SP1: March 12, 2019
• Microsoft support for Windows Vista has ended in 2017. Windows Vista does not have a security update for SHA-2 support, so Acronis Cyber Protect Agent can no longer be installed on this operating system.