Environment

• App Control Console:  All Supported Versions
• Microsoft SQL Server: All Supported Versions

Symptoms

• Block Events for files from a Publisher that was set to Approved contain a Description similar to:

  Publisher[Microsoft (IneligibleForApproval: CounterChainIdx[1] CertId[123] ValidationError[...CERT_TRUST_IS_PARTIAL_CHAIN:CERT_TRUST_IS_NOT_SIGNATURE_VALID:CERT_TRUST_IS_OFFLINE_REVOCATION...

Cause

• The App Control Agent requires validation of both the Code Signing (File Publisher) and the Counter Signature (Timestamping) certificates for successful Publisher Approval of a file
• This validation process works by querying Windows Cryptographic API and there could be many reasons why Windows Crypto API would return errors

Resolution

1. Click the File Hash in the Description of the Block Event.
2. From the File Details page > File Properties > click the Certificate shown in Countersigner Certificate.
3. Copy the Thumbprint shown (Example: 8d45082f8a6e5ab1b2526844050e874f26d91c0c)
4. Click the Publisher name.
5. Expand All Certificates For This Publisher
6. Click Show Filters > Thumbprint > is: <paste the Thumbprint>
7. Check the box > Action > Approve Certificate(s)

1. Log in to the application server hosting the App Control Console as the Carbon Black Service Account.
2. Launch SQL Server Management Studio and using the SHA256 hash from the Block Event, execute the following query(replacing 'SHA256HERE' with the actual hash):

   use das; 
   select publisher_id, subject_name, serial_number, thumbprint, valid_from, valid_to from dbo.certificates (nolock) 
   where cert_id in (select timestamp_cert_id from dbo.antibodies with (nolock) where hash = 'SHA256HERE');

3. This should return a single row containing the Publisher ID and information for the certificate that caused the block event
4. Using the Publisher_Id update then navigate to the following URL:

   https://ServerAddress/publisher-details.php?publisher_id=XXXX

5. On the Publisher Details expand All Certificates and search for the certificate using the information from Step 2
6. Select the checkbox of the certificate > Action > Approve Certificates

Additional Notes

• Setting the Certificate state to Approved will no longer require validation of this certificate from Windows Crypto API.
• Setting the Publisher to Approved is not enough to bypass this type of failure.
• These steps may be required again, should the Counter Signature Certificate change.
• The same Counter Signature Certificate can be used for multiple Code Signing Certificates.
• The best practice would be to determine the root cause why the validation via Windows Crypto API fails such as:
  • Missing Root or Intermediate Certificates at the time of file creation.
  • Windows Crypto API is unable to communicate over the 32-bit Proxy
  • The Microsoft Certificate Trust List Publisher certificate expired and still exists in the CryptnetUrlCache on the endpoint(s).
  • The current network configuration is otherwise blocking this communication and further internal investigation may be required.
• Additional information on this is available in a Community Discussion post here.

Related Content