• A file signed by a Trusted Publisher is blocked
• Description of Block Event includes:

  Publisher[Trusted Publisher LLC (IneligibleForApproval: ChainIdx[X] CertId[Y] CertValidationError[ErrorsListedHere])]

• App Control Console: All Supported Versions
• App Control Agent: All Supported Versions
• Microsoft Windows: All Supported Versions

The Agent relies on the Microsoft Windows Cryptographic API to validate the publisher & certificate information. This validation is done between the Operating System (Windows) and the remote Certificate Authorities that issued the certificates. Windows will return the validation as a CERT_TRUST_STATUS result, which is included in the ValidationError. Common reasons include (but are not limited to):

• The correct publisher is not approved.
• The file was signed with an invalid certificate.
• The relevant certificates were not in the Local Machine Store.
• The remote Certificate Authority has revoked the certificate for some reason.
• Timing issue with Publisher Approval

Step 1: Confirm the Correct Publisher Is Approved

1. In the Block Event, click the hash in the "Description" column
2. File Details screen will open
3. Under "File Properties" confirm Publisher, Publisher State, Certificate, Certificate Global State
   • If there is no Publisher or certificate listed, the file is not signed and is not eligible for Publisher Approval
4. Click the hyperlinked name of the Publisher
5. Confirm the State is Approved and that it applies to the correct Policy

Step 2: Confirm the File Certificate and Countersignature Chains Are Valid

Notes and Reminders:

• All certificates in the certificate chain for a file must be considered valid by Windows.
  • Example: Current Root Certificates must be installed on the endpoint for a certificate to be accepted.
• For security, the Agent exclusively uses the Machine Store, not the Per-user Store.
• More information can be found in the User Guide: Determining Which Certificates Can Approve Files

1. Confirm if there is a signature error in the "Execution block (unapproved file)" event for the file in question. Example:

   File '<FileNameHere>' [0C432...DFCFD] was blocked because it was unapproved. Publisher[<PublisherNameHere> AS (IneligibleForApproval: CounterChainIdx[1] CertId[256] ValidationError[01010040:CERT_TRUST_REVOCATION_STATUS_UNKNOWN:CERT_TRUST_IS_PARTIAL_CHAIN:CERT_TRUST_IS_OFFLINE_REVOCATION])]

   • Note this can also be checked via a local CMD prompt and the commands:

     cd "c:\Program Files (x86)\Bit9\Parity Agent"
     dascli password GlobalPassword
     dascli find <FullPathToFile>

2. Confirm if the OS shows the same signature error.
   1. Open PowerShell as admin.
   2. Run the command:

      Get-AuthenticodeSignature -FilePath "<FullPathToFile>" | Format-List

If the OS Says the File Signature Is Valid, and App Control Does Not

This could be caused by:

• The file being written and executed before the Agent had a chance to fully validate the relevant Certificate & Publisher information.
• A known issue with RFC 3161 Timestamped Counter Certificates.
  • This is being tracked under EPCB-19251 and targeted to be fixed in the upcoming Agent 8.10.0 release.

In either of these circumstances, one of the methods below can be used to re-align the Agent with the OS.

• Locally on the endpoint: (administrative command prompt)

  cd "c:\Program Files (x86)\Bit9\Parity Agent"
  dascli password GlobalPassword
  dascli validatecerts

• Remotely via the Console:
  1. Navigate to Assets > Computers
  2. Select the View Details button for the endpoint in question
  3. On the right side of the page, click the Perform Cache Consistency Check option
  4. Select the level of depth for the scan 'Rescan known files ' and "Re-evaluate publishers" option
  5. Click Go

Check the status again:

dascli find <FullPathToFile>

If the issue persists, collect the following and open a case with Support

1. The following Event CSVs from the Console > Reports > Events:
   1. Use the Saved View: Blocked Files (All)
      • Click Show Filters > Add Filter > Source > is > relevant Computer > Apply
      • Set the Max Age accordingly from the dropdown.
      • Click Export to CSV.
   2. Use the Saved View: New Files (All)
      • Click Show Filters > Add Filter > Source > is > relevant Computer > Apply.
      • Set the Max Age accordingly from the dropdown.
      • Click Export to CSV.
2. The Agent/CAPI2 Logs as outlined here.

If both the Agent (via the Block Event) and OS (verified using PowerShell) state the signature is invalid

This means that the file is not eligible for Publisher Approval.

The Carbon Black App Control Agent is not responsible for updating the local certificate store. The machine administrator and/or networking team will need to troubleshoot this, potentially with the help of Microsoft.

The information below can help determine which certificate chain is experiencing the issue, but resolving the issue is outside the scope of Carbon Black Support.

Note: The validation error has three parts

IneligibleForApproval: CounterChainIdx[1] CertId[256] ValidationError[01010040:CERT_TRUST_REVOCATION_STATUS_UNKNOWN:CERT_TRUST_IS_PARTIAL_CHAIN:CERT_TRUST_IS_OFFLINE_REVOCATION])

• ChainIdx / CounterChainIDx
  • ChainIdx indicates the issue lies with the signature. CounterChainIDx indicates the issue countersignature
  • A value of 0 indicates the leaf cert, 1 is the intermediate, and 2 is the root.
• CertId
  • This is the ID that the local endpoint has assigned to the certificate. It is not the same id in the App Control Server database.
• ValidationError
  • This is the error that was received from the OS at validation time.
  • A list of Microsoft Error Codes (which are surfaced by the App Control agent) can be found here:
    • CERT_TRUST_STATUS structure (wincrypt.h)
    • How to troubleshoot app package signature errors

Example Validation Errors

The following are common examples of failed CERT_TRUST_STATUS validation results, and example troubleshooting steps as well as potential resolutions.

CertValidationError[0x01000041]

Publisher[<PublisherNameHere> (IneligibleForApproval: ChainIdx[1] CertId[307] ValidationError[0x01000041])]

This message is returned most commonly when Allow Approval of Software with Expired Certificates is disabled.

Solutions:

1. Verify Approval with Expired Certificates is enabled:
   1. Log in to the Console and navigate to Settings > System Configuration > Advanced Options
   2. Locate the Expired Certificates setting and enabled it.
   3. Wait for the endpoints to automatically re-validate Publishers & Certificates after changing this setting.
   4. Re-attempt execution after re-validation has completed on the endpoint.
2. The relevant certificate may need to be Manually Approved via the Console.
   • While not recommended, this could override the Certificate Chain Errors.
   • If this is happening on the Counter Chain, some customers choose to Ignore Counter Chain Errors.
3. Alternatively, follow these options to retroactively issue Local Approvals.

CERT_TRUST_IS_PARTIAL_CHAIN (0x00010000)

Publisher[<PublisherNameHere> AS (IneligibleForApproval: CounterChainIdx[1] CertId[256] ValidationError[01010040:CERT_TRUST_REVOCATION_STATUS_UNKNOWN:CERT_TRUST_IS_PARTIAL_CHAIN:CERT_TRUST_IS_OFFLINE_REVOCATION])]

This indicates one of the certificates in the chain (Code Signing or Counter Signing) is missing.

1. On the endpoint, use an administrative command prompt and issue the commands:

   cd "C:\program files (x86)\bit9\parity agent"
   dascli password GlobalPassword
   dascli certchain 256

   Note: The value of 256 is based on the CertId[256] from the example message above. Replace this with the actual cert id in the error
2. Example result:

   CertId[220] Parent[0] Publisher[Symantec SHA256 TimeStamping Signer - G2]
   Issuer[Symantec SHA256 TimeStamping CA]

   Note: In this example the Parent shows '0', indicating the Parent of this certificate does not exist on the endpoint.

Solutions:

• The relevant certificate would need to be added to the Local Machine Store on the endpoint.
• The relevant certificate could be Manually Approved via the Console.
  • While not recommended, this would override Certificate Chain Errors.
• If this is happening on the Counter Chain, some customers choose to Ignore Counter Chain Errors.

CERT_TRUST_IS_NOT_SIGNATURE_VALID (0x00000008)

Publisher[<PublisherNameHere> (IneligibleForApproval: CounterChainIdx[1] CertId[499] 
ValidationError[01000048:CERT_TRUST_IS_NOT_SIGNATURE_VALID:CERT_TRUST_REVOCATION_STATUS_UNKNOWN:CERT_TRUST_IS_OFFLINE_REVOCATION])]

This indicates one of the certificates in the chain does not have a valid signature. The most common reason seen is that an older version of the Intermediate Certificate "Microsoft Time-Stamp PCA 2010" in the endpoint's Local Certificate Store, and the new version of the certificate is not present or it cannot be downloaded due to network restrictions.

1. On the endpoint, use an administrative command prompt and issue the commands:

   cd "C:\program files (x86)\bit9\parity agent"
   dascli password GlobalPassword
   dascli certchain 499

   Note: The value of 499 is based on the CertId[499] from the example message above. Replace this with the actual cert id in the error
2. More information will be displayed on the invalid certificate.

Solutions:

• Check the Application Log for Event ID 4107 or Event ID 11 and flush the CryptnetUrlCache.
• The relevant certificate could be Manually Approved via the Console.
  • While not recommended, this would override Certificate Chain Errors.

CERT_TRUST_IS_NOT_TIME_VALID (0x00000001)

Publisher[<PublisherNameHere> (IneligibleForApproval: ChainIdx[0] CertId[29] Time Validity ValidFrom[11/13/2019 9:40:35 PM] ValidTo[2/11/2021 9:40:35 PM] SignatureTime[10/20/2023 3:00:32 AM])]

This indicates that the file was signed with a certificate that had already expired or that the file was signed at a time that was outside the Valid From-To period.

This issue can be confirmed by checking the ValidTo and SignatureTime details in the Description of the Block Event:

ValidFrom[11/13/2019 9:40:35 PM] ValidTo[2/11/2021 9:40:35 PM] SignatureTime[10/20/2023 3:00:32 AM])]

 If the file is trusted an alternative approval method (such as local approval or a custom rule) will need to be used. 

Solutions:

• This is a critical error, and Publisher Approvals cannot be used in this situation.
• Check if Expired Certificates are allowed in your environment on the System Configuration page > Advanced Options > Certificate Options > Check the box for "Allow approval of software with expired certificates"
• If allowing "Expired Certificates" is not desired then issuing a manual certificate approval for the relevant certificate will bypass the error
• It is also a best practice to have alternative Approval Methods in place for critical apps (such as File Creation Rules or Event rules to create Local Approvals)
• • If the file is widespread already, follow these options to retroactively issue Local Approvals.

CERT_TRUST_IS_UNTRUSTED_ROOT (0x00000020)

This indicates the certificate (or certificate chain) the file was signed with is based on an Untrusted Root Certificate. Typically in this situation the endpoint's Local Machine Certificate Store has outdated Root Certificates. Usually these are updated during Windows Updates.

Solutions:

• This is a critical error, and Publisher Approvals cannot be used in this situation.
• The file will require an alternative Approval Method (such as Local Approval or Custom Rule) instead.
  
  • If the file is widespread already, follow these options to retroactively issue Local Approvals.

CERT_TRUST_IS_REVOKED (0x00000004)

Publisher[<PublisherNameHere> (IneligibleForApproval: ChainIdx[1] CertId[123] ValidationError[...CERT_TRUST_IS_REVOKED:CERT_TRUST_IS_UNTRUSTED_ROOT:CERT_TRUST_IS_EXPLICIT_DISTRUST...}

Certificates can be revoked for many reasons, by either the vendor or the issuing Certificate Authority. In these situations the certificate is deemed as untrusted for some reason. Potentially it could be invalid or otherwise compromised. If the file is trusted, an alternative Approval Method will be required.

Solutions:

• This is a critical error, and Publisher Approvals cannot be used in this situation.
• The file will require an alternative Approval Method (such as Local Approval or Custom Rule) instead.
  
  • If the file is widespread already, follow these options to retroactively issue Local Approvals.

TRUST_E_NOSIGNATURE (0x800B0100)

(IneligibleForApproval: SignatureError[0x800B0100])

This indicates the app package is incorrectly signed. Microsoft has more details on how to troubleshoot App Package Signature Errors. In the meantime, if the file is trusted an alternative Approval Method (such as local approval or a custom rule) will need to be used.

Solutions:

• This is a critical error, and Publisher Approvals cannot be used in this situation.
• The file will require an alternative Approval Method (such as Local Approval or Custom Rule) instead.
  
  • If the file is widespread already, follow these options to retroactively issue Local Approvals.

All Others

Seeing a different error? The Validation error may be a combination of different errors. Example: CertValidationError[0x00000005] is a combination of CERT_TRUST_IS_NOT_TIME_VALID (0x00000001) and CERT_TRUST_IS_REVOKED (0x00000004).

The full list, and more details, can be found on Microsoft's CERT_TRUST_STATUS page.