• Watchlist using "-digsig_publisher" to exclude a specific publisher
• Watchlist generates false positive for a binary that is actually signed

• EDR Server: All Versions

• Binary signature information is gathered from the endpoints, not queried on server side
• Incorrect signature data uploaded from an endpoint where the binary is not signed properly
• Issue may repeat each time invalid signature data is uploaded from an endpoint

1. Create a watchlist that will trigger exclusively against binary data: 

(md5:"<md5>" AND -digsig_publisher:"<publisher>")

2.  Enable alerting against the created watchlist
3.  Once an endpoint reports the md5/binary without publisher details again, the alert will contain details of the reporting endpoint
4.  Follow-up with the systems regarding the state of the binary on the endpoint and why it is not properly signed.  Addressing the unsigned binary on the endpoint will stop future false-positives