EDR: Files Using Internal Publisher are Not Being Identified

EDR: Files Using Internal Publisher are Not Being Identified

search cancel

EDR: Files Using Internal Publisher are Not Being Identified

book

Article ID: 287764

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Binary/Process information may show publisher information missing or unavailable if the application is using an internal publisher.
For example, the following may be seen in the process document:
- ```
{"digsig_result": "Signed", "digsig_publisher": "n/a"}
```

Environment

EDR Windows Sensor: All

Cause

The sensor uses the Windows WinVerifyTrust function to ask the OS if the file is signed.

Resolution

Because the sensor uses Windows WinVerifyTrust function to check the signature status of the file, it is suggested to verify the status of the file's signature/publisher using a utility such as sigcheck.exe from Sysinternals.

Feedback

thumb_up Yes

thumb_down No