Files by Approved By Publisher Being Blocked - IneligibleForAppoval: ChainIdx[X] CounterChainIdx[X] CertId[XX]
search cancel

Files by Approved By Publisher Being Blocked - IneligibleForAppoval: ChainIdx[X] CounterChainIdx[X] CertId[XX]

book

Article ID: 286043

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

  • A file signed by a trusted publisher is blocked
  • Block events state: "IneligibleForAppoval: CounterChainIdx[X] CertId[XX]"
  • Block events state: "ValidationError[ErrorsListedHere}"

Environment

  • App Control Agent: All Supported Versions
  • Microsoft Windows: All Supported Versions

Cause

  • The correct publisher is not approved
  • The file isn't signed according to the local OS
  • Timing issue with publisher approval

Resolution

Step 1: Confirm the correct publisher is approved.

  1. In the block event, click onto the hash in the "description" column
  2. File Details screen will open
  3. Under "File Properties" confirm publisher, publisher state, certificate, certificate global state
    • If there is no publisher or certificate listed, the file is not signed and is not eligible for publisher approval
  4. Click the hyperlinked name of the publisher
  5. Confirm the state is approved and that it applies to the correct policy

Step 2: Confirm the certificate chain is valid:

Note:

  • Files identified as being from an approved publisher will only be approved if all certificates in the certificate chain for that file are considered valid by Windows.
  • For security, the agent exclusively uses the machine store - not the per-user store
  1. Confirm if there is a signature error in the "Execution block (unapproved file)" event for the file in question. Example:
    File '<FileNameHere>' [0C432...DFCFD] was blocked because it was unapproved. Publisher[<PublisherNameHere> AS (IneligibleForApproval: CounterChainIdx[1] CertId[256] ValidationError[01010040:CERT_TRUST_REVOCATION_STATUS_UNKNOWN:CERT_TRUST_IS_PARTIAL_CHAIN:CERT_TRUST_IS_OFFLINE_REVOCATION])]
    • Note this can also be checked via a local CMD prompt and the commands:
      cd "c:\Program Files (x86)\Bit9\Parity Agent"
      dascli password <CliPassword>
      dascli find <FullPathToFile>
  2. Confirm if the
  3. Confirm if the OS shows the same signature error.
    1. Open PowerShell as admin.
    2. Run the command:
      Get-AuthenticodeSignature -FilePath "<FullPathToFile>" | Format-List

If both the agent (via the block event) and OS (verified using PowerShell) state the signature is invalid

This means that the file is not eligible for approval. The Carbon Black App Control Agent is not responsible for updating the local certificate store. The machine administrator and/or networking team will need to troubleshoot this- potentially with the help of Microsoft. The information below can help determine which certificate chain is experiencing the issue, but resolving the issue is outside the scope of Carbon Black Support.

Note: The validation error has three parts

IneligibleForApproval: CounterChainIdx[1] CertId[256] ValidationError[01010040:CERT_TRUST_REVOCATION_STATUS_UNKNOWN:CERT_TRUST_IS_PARTIAL_CHAIN:CERT_TRUST_IS_OFFLINE_REVOCATION])
  • ChainIdx / CounterChainIDx
    • ChainIdx indicates the issue lies with the signature. CounterChainIDx indicates the issue countersignature
    • A value of 0 indicates the leaf cert, 1 is the intermediate, and 2 is the root.
  • CertId
    • This is the ID that the local endpoint has assigned to the certificate. It is not the same id in the App Control Server database.
  • ValidationError

 

CERT_TRUST_IS_PARTIAL_CHAIN (0x00010000)

Publisher[<PublisherNameHere> AS (IneligibleForApproval: CounterChainIdx[1] CertId[256] ValidationError[01010040:CERT_TRUST_REVOCATION_STATUS_UNKNOWN:CERT_TRUST_IS_PARTIAL_CHAIN:CERT_TRUST_IS_OFFLINE_REVOCATION])]

This indicates one of the certificates in the chain is missing.

  1. Open an admin CMD prompt and issue the commands:
    cd \program files (x86)\bit9\parity agent
    dascli password <Agent_CLI_password>
    dascli certchain 256
    Note: The value of 256 is based on the CertId[256] from the example message above. Replace this with the actual cert id in the error
  2. Example result:
    CertId[220] Parent[0] Publisher[Symantec SHA256 TimeStamping Signer - G2]
    Issuer[Symantec SHA256 TimeStamping CA]
    Note: In this example the Parent shows '0', indicating the Parent of this certificate does not exist on the endpoint. The certificate would need to be added to the local machine store to resolve this.

While not recommended, it's possible to manually approve or ignore counterchain certificates which overrides the certificate validation process:

 

CERT_TRUST_IS_NOT_SIGNATURE_VALID (0x00000008)

Publisher[<PublisherNameHere> (IneligibleForApproval: CounterChainIdx[1] CertId[499] 
ValidationError[01000048:CERT_TRUST_IS_NOT_SIGNATURE_VALID:CERT_TRUST_REVOCATION_STATUS_UNKNOWN:CERT_TRUST_IS_OFFLINE_REVOCATION])]

This indicates one of the certificates in the chain does not have a valid signature. The most common reason seen is that an older version of the Intermediate Certificate "Microsoft Time-Stamp PCA 2010" in the endpoint's local certificate store, and the new version of the cert is not present or it cannot be downloaded due to network restrictions.

  1. Open an admin CMD prompt and issue the commands:
    cd \program files (x86)\bit9\parity agent
    dascli password <Agent_CLI_password>
    dascli certchain 499
    Note: The value of 499 is based on the CertId[499] from the example message above. Replace this with the actual cert id in the error
  2. More information will be displayed on the invalid certificate.
  3. It may be possible to remediate this by:

CERT_TRUST_IS_NOT_TIME_VALID (0x00000001)

Publisher[<PublisherNameHere> (IneligibleForApproval: ChainIdx[0] CertId[29] Time Validity ValidFrom[11/13/2019 9:40:35 PM] ValidTo[2/11/2021 9:40:35 PM] SignatureTime[10/20/2023 3:00:32 AM])]

This indicates that the file was signed with a certificate that had already expired. If the file is trusted an alternative approval method (such as local approval or a custom rule) will need to be used. This issue can be confirmed by comparing the ValidTo and SignatureTime details in the Description of the Block Event. 

ValidFrom[11/13/2019 9:40:35 PM] ValidTo[2/11/2021 9:40:35 PM] SignatureTime[10/20/2023 3:00:32 AM])]

 

CERT_TRUST_IS_REVOKED (0x00000004)

Publisher[<PublisherNameHere> (IneligibleForApproval: ChainIdx[1] CertId[123] ValidationError[...CERT_TRUST_IS_REVOKED:CERT_TRUST_IS_UNTRUSTED_ROOT:CERT_TRUST_IS_EXPLICIT_DISTRUST...}

A revoked certificate indicates it is invalid or compromised. If the file is trusted an alternative approval method (such as local approval or a custom rule) will need to be used.

 

TRUST_E_NOSIGNATURE (0x800B0100)

(IneligibleForApproval: SignatureError[0x800B0100])

This indicates the app package is incorrectly signed. If the file is trusted an alternative approval method (such as local approval or a custom rule) will need to be used.

 

Other

Seeing a different error? The Validation error may be a combination of different errors. For example CertValidationError[0x00000005] is a combination of CERT_TRUST_IS_NOT_TIME_VALID (0x00000001) and CERT_TRUST_IS_REVOKED (0x00000004).

  1. Reference Microsoft's full list

 

If the OS says the file signature is valid, and App Control does not.

This may because:

  1. Of a known issue with RFC 3161 timestamped counter certificates. This is being tracked under "EP-19251" and is currently targeted to be fixed in the upcoming 8.10 agent release.
  2. The file was written, and executed before the App Control agent had a chance to process the certificates and approval.

In either of these circumstances, the below steps can be taken to re-align the agent with the OS.

  1. To manually re-evaluate run commands:
    • Locally via admin CMD:
      cd "c:\Program Files (x86)\Bit9\Parity Agent"
      dascli password <CliPassword>
      dascli validatecerts
    • Remotely via the Console:
      1. Navigate to Assets > Computers
      2. Select the View Details button for the endpoint in question
      3. On the right side of the page, click the Perform Cache Consistency Check option
      4. Select the level of depth for the scan 'Rescan known files ' and "Re-evaluate publishers" option
      5. Click Go
  2. Check the status again:
    dascli find <FullPathToFile>
  3. If the issue still persist, contact support and provide:
    1. An export of the file events from the console (New unapproved File, Execution Block)
    2. An export of the event viewer logs
    3. The results of the commands from steps 2, 4, and 5.
    4. Agent logs