Use Windows CAPI2 Logs To Verify Partial Chain Errors
search cancel

Use Windows CAPI2 Logs To Verify Partial Chain Errors

book

Article ID: 288979

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

How to use Windows CAPI2 logging to verify Partial Chain Errors

Environment

  • App Control Agent: All Supported Versions
  • Microsoft Windows: All Supported Versions

Resolution

The Agent relies on the Windows Cryptographic API to validate Publishers and Certificates associated with relevant file(s). The following steps will help compare how the Agent is interpreting what the Windows Crypto API is returning when conducting this validation.

Step 1: Configure & Capture Relevant Logs

  1. Enable Windows CAPI2 Logging:
    1. Start > Run > eventvwr
    2. Local > Applications and Services Logs > Microsoft > Windows > CAPI2
    3. Right Click: Operational > Enable Log
    4. Right Click: Operational > Properties > Maximum Log Size (KB): 4096
  2. Increase Agent Debug Level & Trace Log:
    1. Use an administrative command prompt to issue: 
      cd "C:\Program Files (x86)\Bit9\Parity Agent"
      dascli password GlobalCLIPassword
      dascli setconfigprop max_rolling_trace_size_mb=500
      dascli setconfigprop max_rolled_trace_logs_to_keep=6
      dascli debuglevel 6
      dascli kerneltrace 4
      dascli nettrace 1
    2. Export the results of the dascli find command with the relevant file: 
      dascli find "C:\Path\To\SignedFile.exe" > "C:\Temp\dasclifind-pre.txt"
    3. Force the Agent to revalidate certificates 
      dascli validatecerts
    4. Wait for the task to complete, then export the results of the find command again with a different name: 
      dascli find "C:\Path\To\SignedFile.exe" > "C:\Temp\dasclifind-post.txt"
  3. Use PowerShell to Capture Signature Results:
    1. In an administrative PowerShell window issue: 
      Get-AuthenticodeSignature -FilePath "C:\Path\To\SignedFile.exe" | Format-List | Out-File -FilePath "C:\Temp\Authenticode.txt"
    2. Export a list of certificates in the Local Machine Store: 
      Get-ChildItem Cert:\LocalMachine -Recurse | Format-List | Out-File -FilePath "C:\Temp\CertList.txt"
  4. Capture CAPI2:
    1. Event Viewer > Local > Applications and Services Logs > Microsoft > Windows
    2. CAPI2 > Right click Operational > Save All Events As...
    3. Choose location > Display information for these languages > English > OK
    4. Right click Operational > Disable Log.
  5. Capture Agent Logs & Return to Default:
    1. In the command prompt issue: 
      dascli capture "C:\Temp\%ComputerName%-CAPI.zip"
      dascli password GlobalCLIPassword
      dascli setconfigprop max_rolling_trace_size_mb=50
      dascli setconfigprop max_rolled_trace_logs_to_keep=0

Step 2: Review Logs

  1. Open the captured Windows CAPI2 Logs and add filters: 
    Event level: Error
Event ID: 11
Task Category: Build Chain
  2. Open the partial chain event for the specific certificate and scroll to the "Certificate Chain" section, for example: 
    - Certificate
[ fileRef] 0325BD505EDA96302DC22F4FA01E4C28BE2834C5.cer
[ subjectName] TIMESTAMP-SHA256-2019-10-15
...
- CertificateChain
- ErrorStatus
[ value] 1010040
[ CERT_TRUST_REVOCATION_STATUS_UNKNOWN] true
[ CERT_TRUST_IS_OFFLINE_REVOCATION] true
[ CERT_TRUST_IS_PARTIAL_CHAIN] true
    • Compare against the PowerShell Authenticode results captured.
    • Compare against the dascli find results captured.
  3. Verify the Certificate(s) referenced are in the PowerShell CertList results captured.
    • For security reasons, the Agent requires certificates be present in the Local Machine (not Per-User) Store on the endpoint.
  4. If discrepancies are found, or if requested by Support:
    • Zip the Event Viewer and text file results 
    • Provide the Agent Logs and zipped results to Support.

Additional Information

It is recommended to coordinate this logging with extra logging at the network/firewall/proxy level to determine what changes may be necessary to allow this communication.
Powered by Wolken Software