App Control: How to Query DAS for CounterChain Blocks
search cancel

App Control: How to Query DAS for CounterChain Blocks

book

Article ID: 286585

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

How to query the App Control database (DAS) to identify Publisher & Certificate information related to Block Events due to: IneligibleForApproval: CounterChainIdx.

Environment

  • App Control Console: All Supported Versions
  • App Control Server: All Supported Versions
  • Microsoft SQL Server Management Studio: All Supported Versions

Resolution

  1. Collect the File Name and the full File Hash from the relevant Block Event. This can be done with the Columns, "File Name" and "File Hash".
  2. Login to the application server as the Carbon Black Service Account.
  3. Launch Microsoft SQL Server Management Studio and choose the option to connect to the SQL Server hosting the DAS database using the Authentication: Windows Authentication.
  4. Click New Query and execute the following query:
    use das;
    select * from dbo.filenames with (nolock) where filename like '%BlockedFile.exe%';
    
  5. Note the filename_id returned and use it in place of AAAA in the next query, and use the Hash value from the Block Event in place of BBBB
    select timestamp_cert_id, hash from dbo.antibodies with (nolock) where filename_id = 'AAAA' AND hash = 'BBBB';
    
  6. Note the timestamp_cert_id and use it in place of CCCC in the next query:
    select publisher_id, subject_name, serial_number, thumbprint, valid_from, valid_to from dbo.certificates with (nolock) where cert_id = 'CCCC';
    
  7. This should return a single result containing the information of the Certificate that caused the Block Event.

Additional Information

  • The publisher_id can be used in place of ZZZZ to change the Certificate State to Approved via the Console: https://ServerAddress/publisher-details.php?publisher_id=ZZZZ
  • The Agent relies on the Windows Cryptographic API to validate these certificates. The error returned is provided by this API.
  • An extended discussion regarding these queries, and the reasons behind them, can be found in the Community Discussion here.
  • See the Related Content for additional articles to help with troubleshooting Publisher Approval issues.