Carbon Black Cloud: Search for process_publisher_state:FILE_SIGNATURE_STATE_NOT_SIGNED Shows Signed Files
search cancel

Carbon Black Cloud: Search for process_publisher_state:FILE_SIGNATURE_STATE_NOT_SIGNED Shows Signed Files

book

Article ID: 288334

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

  • Search for process_publisher_state:FILE_SIGNATURE_STATE_NOT_SIGNED shows files that are signed
  • Binary Details shows file is signed

Environment

  • Carbon Black Cloud Console: All Versions
    • Endpoint Standard
    • Enterprise EDR
  • Carbon Black Cloud Sensor: 3.x - 3.6.0.1979

Cause

Known issue with catalog signed files (DSEN-12143).

Resolution

Upgrade to 3.6.0.2076+ where this issue has been corrected

Additional Information

https://community.carbonblack.com/t5/Carbon-Black-Cloud-Windows/tkb-p/release_notes_windows
  • Some recent Windows Updates resulted in Microsoft OS files being delivered before their external catalog that is used to verify their digital signature was registered. This resulted in the files appearing as not signed on first inspection, which could lead to tamper protection blocks and user visible errors when launching repux. The CB sensor now reinspects operating system files that appear unsigned to reverify their digital signature and avoid the tamper blocks.