Note:
File '<FileNameHere>' [0C432...DFCFD] was blocked because it was unapproved. Publisher[<PublisherNameHere> AS (IneligibleForApproval: CounterChainIdx[1] CertId[256] ValidationError[01010040:CERT_TRUST_REVOCATION_STATUS_UNKNOWN:CERT_TRUST_IS_PARTIAL_CHAIN:CERT_TRUST_IS_OFFLINE_REVOCATION])]
cd "c:\Program Files (x86)\Bit9\Parity Agent"
dascli password <CliPassword>
dascli find <FullPathToFile>
Get-AuthenticodeSignature -FilePath "<FullPathToFile>" | Format-List
This means that the file is not eligible for Publisher Approval. The Carbon Black App Control Agent is not responsible for updating the local certificate store. The machine administrator and/or networking team will need to troubleshoot this- potentially with the help of Microsoft. The information below can help determine which certificate chain is experiencing the issue, but resolving the issue is outside the scope of Carbon Black Support.
Note: The validation error has three parts
IneligibleForApproval: CounterChainIdx[1] CertId[256] ValidationError[01010040:CERT_TRUST_REVOCATION_STATUS_UNKNOWN:CERT_TRUST_IS_PARTIAL_CHAIN:CERT_TRUST_IS_OFFLINE_REVOCATION])
Publisher[<PublisherNameHere> AS (IneligibleForApproval: CounterChainIdx[1] CertId[256] ValidationError[01010040:CERT_TRUST_REVOCATION_STATUS_UNKNOWN:CERT_TRUST_IS_PARTIAL_CHAIN:CERT_TRUST_IS_OFFLINE_REVOCATION])]
This indicates one of the certificates in the chain is missing.
cd \program files (x86)\bit9\parity agent
dascli password <Agent_CLI_password>
dascli certchain 256
Note: The value of 256 is based on the CertId[256] from the example message above. Replace this with the actual cert id in the errorCertId[220] Parent[0] Publisher[Symantec SHA256 TimeStamping Signer - G2]
Issuer[Symantec SHA256 TimeStamping CA]
Note: In this example the Parent shows '0', indicating the Parent of this certificate does not exist on the endpoint. The certificate would need to be added to the local machine store to resolve this.You can manually approve the certificate or while not recommended ignore any countersignature chain errors which will overrides the certificate chain errors:
Publisher[<PublisherNameHere> (IneligibleForApproval: CounterChainIdx[1] CertId[499]
ValidationError[01000048:CERT_TRUST_IS_NOT_SIGNATURE_VALID:CERT_TRUST_REVOCATION_STATUS_UNKNOWN:CERT_TRUST_IS_OFFLINE_REVOCATION])]
This indicates one of the certificates in the chain does not have a valid signature. The most common reason seen is that an older version of the Intermediate Certificate "Microsoft Time-Stamp PCA 2010" in the endpoint's local certificate store, and the new version of the cert is not present or it cannot be downloaded due to network restrictions.
cd \program files (x86)\bit9\parity agent
dascli password <Agent_CLI_password>
dascli certchain 499
Note: The value of 499 is based on the CertId[499] from the example message above. Replace this with the actual cert id in the error
Publisher[<PublisherNameHere> (IneligibleForApproval: ChainIdx[0] CertId[29] Time Validity ValidFrom[11/13/2019 9:40:35 PM] ValidTo[2/11/2021 9:40:35 PM] SignatureTime[10/20/2023 3:00:32 AM])]
This indicates that the file was signed with a certificate that had already expired. If the file is trusted an alternative approval method (such as local approval or a custom rule) will need to be used. This issue can be confirmed by comparing the ValidTo and SignatureTime details in the Description of the Block Event.
ValidFrom[11/13/2019 9:40:35 PM] ValidTo[2/11/2021 9:40:35 PM] SignatureTime[10/20/2023 3:00:32 AM])]
This indicates the certificate (or certificate chain) the file was signed with is based on an untrusted root certificate. Typically in this situation the endpoint's local machine certificate store has outdated root certificates. Usually these are updated during Windows Updates. In the meantime, an alternative Approval Method will be required.
Publisher[<PublisherNameHere> (IneligibleForApproval: ChainIdx[1] CertId[123] ValidationError[...CERT_TRUST_IS_REVOKED:CERT_TRUST_IS_UNTRUSTED_ROOT:CERT_TRUST_IS_EXPLICIT_DISTRUST...}
A revoked certificate indicates it is invalid or compromised. If the file is trusted an alternative approval method (such as local approval or a custom rule) will need to be used.
(IneligibleForApproval: SignatureError[0x800B0100])
This indicates the app package is incorrectly signed. If the file is trusted an alternative Approval Method (such as local approval or a custom rule) will need to be used.
Seeing a different error? The Validation error may be a combination of different errors. For example CertValidationError[0x00000005] is a combination of CERT_TRUST_IS_NOT_TIME_VALID (0x00000001) and CERT_TRUST_IS_REVOKED (0x00000004).
The full list, and more details, can be found on Microsoft's CERT_TRUST_STATUS page.
This may because:
In either of these circumstances, the below steps can be taken to re-align the agent with the OS.
cd "c:\Program Files (x86)\Bit9\Parity Agent"
dascli password <CliPassword>
dascli validatecerts
dascli find <FullPathToFile>