App Control: Custom Execution Rule with "File Publisher" criteria does not block a file with tampered certificate
search cancel

App Control: Custom Execution Rule with "File Publisher" criteria does not block a file with tampered certificate

book

Article ID: 288446

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

  • Custom Execution rule when configured with "File Publisher" criteria using advanced options does not verify associated publisher certificates
  • Custom Execution Rule with "File Publisher" criteria does not block a file with tampered certificate¬†

Environment

  • App Control: All Versions

Cause

As per product design, "File Publisher" criteria performs a string match against the publisher information on the file but does not verify if the certificate is valid

Resolution

This is as per product design. Alternatively, "Trusted Publisher" approval mechanism can used to ensure certificate validation takes places at the time of analysis