Publisher Blocks due to PARTIAL_CHAIN Errors on Internet Connected Devices
search cancel

Publisher Blocks due to PARTIAL_CHAIN Errors on Internet Connected Devices

book

Article ID: 419210

calendar_today

Updated On:

Products

Carbon Black App Control

Issue/Introduction

Blocks on files approved by Trusted Publisher due to "CERT_TRUST_IS_PARTIAL_CHAIN" errors even when the device has unrestricted Internet connectivity:

Publisher[CrowdStrike, Inc. (IneligibleForApproval: CounterChainIdx[1] CertId[583] ValidationError[01010040:CERT_TRUST_REVOCATION_STATUS_UNKNOWN:CERT_TRUST_IS_PARTIAL_CHAIN:CERT_TRUST_IS_OFFLINE_REVOCATION])]

Environment

App Control Windows Agent: All Supported Versions

Cause

When a new certificate is discovered, the agent performs the following check:

  • It makes an initial call to Windows CAPI to check the certificate and build and validate the certificate chain.
  • This initial call is configured to only use locally cached certificate data and doesn't make a network call to retrieve any missing cert data.
  • This is done due to performance considerations, as checking the local cert cache is a lot faster and less resource intensive.
  • If this initial call fails, another, 2nd validation check is scheduled within 60 seconds, and this check goes out to the Internet to retrieve any missing certificate data needed to validate the chain.
  • If the 2nd call is successful, the file is approved about a minute after it was created.

The issue is that when a brand new file is created and executed within the first 60 seconds, if any of the certificates in the chain is missing from the local cert cache on the machine, then the file gets blocked because of a "PARTIAL_CHAIN" error, and then it gets approved a few seconds later.

Unfortunately, for any software updates that execute immediately, this behavior will cause them to fail until the next time the upgrade is attempted.

Resolution

Best practices:

  • Distribute any newly discovered certificates needed for Publisher approvals to all endpoints via GPO or similar, so that the certificates are cached.
  • Consider manually approving any certificate that fail chain validation due to "PARTIAL_CHAIN" errors with this KB.
  • Countersigner (timestamping) certificate chain validation failures due to "PARTIAL_CHAIN" errors can be ignored with this KB.

Warning:

  • Apply the config to a Test Policy first and measure the performance impact when software updates are applied.
  • The agent config could possibly cause higher CPU utilization and increased network bandwidth.

This initial certificate validation behavior is adjustable via the following agent config:

  1. Navigate to: https://AppCServer/Agent_config.php
  2. Add Agent Config:
Name: Cert Chain Retrieval via Network (or similar)
Host ID: 0
Value: 
cert_chain_flags=0x28000001
Platform: Windows
Create For: Apply to Test Policy first
Save and Exit

Additional Information

0x28000001 - tells the agent to request that Windows CAPI use the network when building the chain.

0x8000005 (default) - only requests that Windows CAPI use locally cached certificates when building the chain.

To manually check if the system can build the certificate chain over the network, export the certificate from the file and run this in CMD:

certutil -f –urlfetch -verify certificatefile.cer
Powered by Wolken Software