EDR: Files Using Internal Publisher are Not Being Identified
search cancel

EDR: Files Using Internal Publisher are Not Being Identified

book

Article ID: 287764

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • Binary/Process information may show publisher information missing or unavailable if the application is using an internal publisher.
  • For example, the following may be seen in the process document:
    • {"digsig_result": "Signed", "digsig_publisher": "n/a"}

Environment

  • EDR Windows Sensor: All

Cause

  • The sensor uses the Windows WinVerifyTrust function to ask the OS if the file is signed. 

Resolution

  • Because the sensor uses Windows WinVerifyTrust function to check the signature status of the file, it is suggested to verify the status of the file's signature/publisher using a utility such as sigcheck.exe from Sysinternals.