Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

A file signed by a trusted publisher is blocked
Block events state: "IneligibleForAppoval: CounterChainIdx[X] CertId[XX]"
Block events state: "ValidationError[ErrorsListedHere}"

Environment

App Control Agent: All Supported Versions
Microsoft Windows: All Supported Versions

Cause

The correct publisher is not approved
The file isn't signed according to the local OS
Timing issue with publisher approval

Resolution

Step 1: Confirm the correct publisher is Approved
Step 2: Confirm that both the file certificate and countersignature chains are valid:
- If both the Agent (via the Block Event) and OS (verified using PowerShell) state the signature is invalid
- If the OS says the file signature is valid, and App Control does not.

Step 1: Confirm the correct publisher is Approved

In the Block Event, click the hash in the "Description" column
File Details screen will open
Under "File Properties" confirm Publisher, Publisher State, Certificate, Certificate Global State
- If there is no Publisher or certificate listed, the file is not signed and is not eligible for Publisher Approval
Click the hyperlinked name of the Publisher
Confirm the State is Approved and that it applies to the correct Policy

Step 2: Confirm that both the file certificate and countersignature chains are valid:

Note:

Files identified as being from an approved publisher will only be approved if all certificates in the file certificate and countersignature (timestamping) chains for that file are considered valid by Windows.
- Determining Which Certificates Can Approve Files
For security, the Agent exclusively uses the machine store - not the per-user store.

Confirm if there is a signature error in the "Execution block (unapproved file)" event for the file in question. Example:

File '<FileNameHere>' [0C432...DFCFD] was blocked because it was unapproved. Publisher[<PublisherNameHere> AS (IneligibleForApproval: CounterChainIdx[1] CertId[256] ValidationError[01010040:CERT_TRUST_REVOCATION_STATUS_UNKNOWN:CERT_TRUST_IS_PARTIAL_CHAIN:CERT_TRUST_IS_OFFLINE_REVOCATION])]

Note this can also be checked via a local CMD prompt and the commands:

cd "c:\Program Files (x86)\Bit9\Parity Agent"
dascli password <CliPassword>
dascli find <FullPathToFile>

Confirm if the OS shows the same signature error.
1. Open PowerShell as admin.
2. Run the command:
```
Get-AuthenticodeSignature -FilePath "<FullPathToFile>" | Format-List
```

If both the Agent (via the Block Event) and OS (verified using PowerShell) state the signature is invalid

This means that the file is not eligible for Publisher Approval. The Carbon Black App Control Agent is not responsible for updating the local certificate store. The machine administrator and/or networking team will need to troubleshoot this- potentially with the help of Microsoft. The information below can help determine which certificate chain is experiencing the issue, but resolving the issue is outside the scope of Carbon Black Support.

Note: The validation error has three parts

IneligibleForApproval: CounterChainIdx[1] CertId[256] ValidationError[01010040:CERT_TRUST_REVOCATION_STATUS_UNKNOWN:CERT_TRUST_IS_PARTIAL_CHAIN:CERT_TRUST_IS_OFFLINE_REVOCATION])

ChainIdx / CounterChainIDx
- ChainIdx indicates the issue lies with the signature. CounterChainIDx indicates the issue countersignature
- A value of 0 indicates the leaf cert, 1 is the intermediate, and 2 is the root.
CertId
- This is the ID that the local endpoint has assigned to the certificate. It is not the same id in the App Control Server database.
ValidationError
- This is the error that was received from the OS at validation time.
- A list of Microsoft Error Codes (which are surfaced by the App Control agent) can be found here:
  - CERT_TRUST_STATUS structure (wincrypt.h)
  - How to troubleshoot app package signature errors

CERT_TRUST_IS_PARTIAL_CHAIN (0x00010000)

Publisher[<PublisherNameHere> AS (IneligibleForApproval: CounterChainIdx[1] CertId[256] ValidationError[01010040:CERT_TRUST_REVOCATION_STATUS_UNKNOWN:CERT_TRUST_IS_PARTIAL_CHAIN:CERT_TRUST_IS_OFFLINE_REVOCATION])]

This indicates one of the certificates in the chain is missing.

Open an admin CMD prompt and issue the commands:
```
cd \program files (x86)\bit9\parity agent
dascli password <Agent_CLI_password>
dascli certchain 256
```
Note: The value of 256 is based on the CertId[256] from the example message above. Replace this with the actual cert id in the error
Example result:
```
CertId[220] Parent[0] Publisher[Symantec SHA256 TimeStamping Signer - G2]
Issuer[Symantec SHA256 TimeStamping CA]
```
Note: In this example the Parent shows '0', indicating the Parent of this certificate does not exist on the endpoint. The certificate would need to be added to the local machine store to resolve this.

You can manually approve the certificate or while not recommended ignore any countersignature chain errors which will overrides the certificate chain errors:

CERT_TRUST_IS_NOT_SIGNATURE_VALID (0x00000008)

Publisher[<PublisherNameHere> (IneligibleForApproval: CounterChainIdx[1] CertId[499] 
ValidationError[01000048:CERT_TRUST_IS_NOT_SIGNATURE_VALID:CERT_TRUST_REVOCATION_STATUS_UNKNOWN:CERT_TRUST_IS_OFFLINE_REVOCATION])]

This indicates one of the certificates in the chain does not have a valid signature. The most common reason seen is that an older version of the Intermediate Certificate "Microsoft Time-Stamp PCA 2010" in the endpoint's local certificate store, and the new version of the cert is not present or it cannot be downloaded due to network restrictions.

Open an admin CMD prompt and issue the commands:
```
cd \program files (x86)\bit9\parity agent
dascli password <Agent_CLI_password>
dascli certchain 499
```
Note: The value of 499 is based on the CertId[499] from the example message above. Replace this with the actual cert id in the error
More information will be displayed on the invalid certificate.
It may be possible to remediate this by:
- Flushing the CryptnetUrlCache
  - Event ID 4107 or Event ID 11 is logged in the Application log
- Manually approving the "Microsoft Time-Stamp Service" certificate
  - Manually Approve Counter Chain Certificates

CERT_TRUST_IS_NOT_TIME_VALID (0x00000001)

Publisher[<PublisherNameHere> (IneligibleForApproval: ChainIdx[0] CertId[29] Time Validity ValidFrom[11/13/2019 9:40:35 PM] ValidTo[2/11/2021 9:40:35 PM] SignatureTime[10/20/2023 3:00:32 AM])]

This indicates that the file was signed with a certificate that had already expired. If the file is trusted an alternative approval method (such as local approval or a custom rule) will need to be used. This issue can be confirmed by comparing the ValidTo and SignatureTime details in the Description of the Block Event.

ValidFrom[11/13/2019 9:40:35 PM] ValidTo[2/11/2021 9:40:35 PM] SignatureTime[10/20/2023 3:00:32 AM])]

CERT_TRUST_IS_UNTRUSTED_ROOT (0x00000020)

This indicates the certificate (or certificate chain) the file was signed with is based on an untrusted root certificate. Typically in this situation the endpoint's local machine certificate store has outdated root certificates. Usually these are updated during Windows Updates. In the meantime, an alternative Approval Method will be required.

CERT_TRUST_IS_REVOKED (0x00000004)

Publisher[<PublisherNameHere> (IneligibleForApproval: ChainIdx[1] CertId[123] ValidationError[...CERT_TRUST_IS_REVOKED:CERT_TRUST_IS_UNTRUSTED_ROOT:CERT_TRUST_IS_EXPLICIT_DISTRUST...}

A revoked certificate indicates it is invalid or compromised. If the file is trusted an alternative approval method (such as local approval or a custom rule) will need to be used.

TRUST_E_NOSIGNATURE (0x800B0100)

(IneligibleForApproval: SignatureError[0x800B0100])

This indicates the app package is incorrectly signed. If the file is trusted an alternative Approval Method (such as local approval or a custom rule) will need to be used.

How to troubleshoot app package signature errors

All Others

Seeing a different error? The Validation error may be a combination of different errors. For example CertValidationError[0x00000005] is a combination of CERT_TRUST_IS_NOT_TIME_VALID (0x00000001) and CERT_TRUST_IS_REVOKED (0x00000004).

The full list, and more details, can be found on Microsoft's CERT_TRUST_STATUS page.

If the OS says the file signature is valid, and App Control does not.

This may because:

Of a known issue with RFC 3161 timestamped counter certificates. This is being tracked under "EP-19251" and is currently targeted to be fixed in the upcoming 8.10 agent release.
The file was written, and executed before the App Control agent had a chance to process the certificates and approval.

In either of these circumstances, the below steps can be taken to re-align the agent with the OS.

To manually re-evaluate run commands:
- Locally via admin CMD:
```
cd "c:\Program Files (x86)\Bit9\Parity Agent"
dascli password <CliPassword>
dascli validatecerts
```
- Remotely via the Console:
  1. Navigate to Assets > Computers
  2. Select the View Details button for the endpoint in question
  3. On the right side of the page, click the Perform Cache Consistency Check option
  4. Select the level of depth for the scan 'Rescan known files ' and "Re-evaluate publishers" option
  5. Click Go
Check the status again:
```
dascli find <FullPathToFile>
```
If the issue still persist, contact support and provide:
1. An export of the file events from the console (New unapproved File, Execution Block)
2. An export of the event viewer logs
  - Collecting Event Viewer logs
3. The results of the commands from steps 2, 4, and 5.
4. Agent logs
  - Collect Historical Agent Logs

Files Approved By Publisher Being Blocked With Error IneligibleForAppoval: ChainIdx[X] CounterChainIdx[X]

Article ID: 286043

Updated On: