CB Response: Incorrect digsig_result value
search cancel

CB Response: Incorrect digsig_result value

book

Article ID: 290361

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • The digsig_result binary metadata value on CB Response server does not match the digital signature when validating locally on the endpoint.
  • The digsig_result binary metadata value on CB Response server cycles between Signed and Unsigned seemingly randomly.

Environment

  • CB Response Server: All Versions
  • CB Response Windows Sensor: All Versions
  • Microsoft Windows: All Supported Versions

Cause

A Microsoft patch has invalidated the catalog signature on a specific endpoint.

Resolution

This is not a CB Response issue. Contact Microsoft to understand why the catalog signature became invalid.

Additional Information

The reason why the symptoms occur is because the sensor is rather simple when it comes to digsig_result: it relies on WinVerifyTrust to return the signature status of a binary at the time of execution. Whatever WinVerifyTrust evaluates the binary to, the sensor will forward that digsig_result to the server. For example:
  1. If WinVerifyTrust returns a file is Unsigned because the catalog signature on Host A was invalidated due to an underlying issue with Microsoft Windows, the binary metadata on the server will reflect this digsig_result of Unsigned.
  2. However, when this same exact binary executes on Host B without any catalog signature issues and the binary is validly signed, the binary metadata on the server will be updated to reflect the correct digsig_result of Signed.
  • To determine the endpoint with the issue, CB Support recommends running sigcheck on every host with a specific binary exhibiting this issue, however, CB does not assist with this.