Carbon Black Console: Why are there inaccurate results when using negation on process_publisher_state queries?
search cancel

Carbon Black Console: Why are there inaccurate results when using negation on process_publisher_state queries?

book

Article ID: 287847

calendar_today

Updated On:

Products

Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Why are queries returning processes that have a trusted signature or a verified signature, when querying negation on process_publisher_state:FILE_SIGNATURE_STATE_TRUSTED

Environment

  • Carbon Black Cloud Web Console: All Versions
    • Enterprise EDR
  • Carbon Black Cloud Microsoft Windows Sensor: All Supported Versions

Resolution

  • Querying the negation of a process_publisher_state value, will return all states which does not equal that particular state. 
  • At this time, there are 10 different values for the state, so negating only one value means that the results will be for events in the other 9 states

Additional Information

  • The 10 process_publisher_state states are listed below:
    • FILE_SIGNATURE_STATE_INVALID
    • FILE_SIGNATURE_STATE_SIGNED
    • FILE_SIGNATURE_STATE_VERIFIED
    • FILE_SIGNATURE_STATE_NOT_SIGNED
    • FILE_SIGNATURE_STATE_UNKNOWN
    • FILE_SIGNATURE_STATE_CHAINED
    • FILE_SIGNATURE_STATE_TRUSTED
    • FILE_SIGNATURE_STATE_OS
    • FILE_SIGNATURE_STATE_CATALOG_SIGNED
    • UNRECOGNIZED
  • Example:
    • process_name:schtasks.exe AND -process_publisher_state:FILE_SIGNATURE_STATE_SIGNED
    • Returns all schtasks.exe events with process_publisher_state of:
      • FILE_SIGNATURE_STATE_INVALID
      • FILE_SIGNATURE_STATE_VERIFIED
      • FILE_SIGNATURE_STATE_NOT_SIGNED
      • FILE_SIGNATURE_STATE_UNKNOWN
      • FILE_SIGNATURE_STATE_CHAINED
      • FILE_SIGNATURE_STATE_TRUSTED
      • FILE_SIGNATURE_STATE_OS
      • FILE_SIGNATURE_STATE_CATALOG_SIGNED
      • UNRECOGNIZED
    • Search can either be to search for process_publisher_state:FILE_SIGNATURE_STATE_NOT_SIGNED or negate every state that is not desired in results.