• Watchlist using "-digsig_publisher"  to exclude a specific publisher
• Watchlist generates false positive for a binary that is actually signed

• CB Response:  All Versions

• Binary signature information is gathered from the endpoints, not queried on server side.
• Incorrect signature data uploaded from an endpoint where the binary is not signed properly
• Issue may repeat each time invalid signature data is uploaded from an endpoint

1. Create a watchlist that will trigger exclusively against binary data:  

(md5:"<md5>" AND -digsig_publisher:"<publisher>")

2.  Enable alerting against your created watchlist
3.  Once an endpoint reports the md5/binary without publisher details again, the alert will contain details of the reporting endpoint
4.  Followup with your IT/System Admins regarding the state of the binary on the endpoint and why it is not properly signed.  Addressing the unsigned binary on the endpoint will stop future false-positives