Knowledge Base

Access official resources from Carbon Black experts

Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Environment

App Control Agent: All Supported Versions
App Control Console: All Supported Versions

Symptoms

The Agent is enforcing Execution Blocks due to, "CERT_TRUST_IS_NOT_TIME_VALID".

Cause

The vendor has failed to properly sign the blocked file, as the NOT_TIME_VALID error indicates the file was signed outside the Valid From and Valid To dates of the signing certificate.

This can typically be confirmed in the Description of the relevant Block Event:

Time Validity ValidFrom[1/4/2021 3:46:40 PM] ValidTo[12/31/2021 9:33:38 PM] SignatureTime[9/16/2022 6:00:50 AM])]

Resolution

Files experiencing this validation error cannot be approved via Publisher Approval.
Until the vendor releases an updated file that is correctly signed, an alternate Approval Method will need to be used, such as a Global Approval of the hash or a Custom Rule to allow the execution.

Additional Notes

Expired certificates are allowed; however, the file must be signed during the Validation time frame of the signing certificate. If not, this could be an invalid/falsely signed file.
Certificate details can also be viewed/confirmed with the PowerShell command:
```
Get-AuthenticodeSignature -FilePath "C:\Path\To\File.dll" | Format-List
```

Related Content

CERT_TRUST_STATUS (wincrypt.h) - Win32 apps
App Control: How To Use Windows CAPI2 Logs To Verify Partial Chain Errors
App Control: Will the Agent Approve Files Signed With an Expired Certificate?

Article Information

Author:

Creation Date:

‎09-08-2020

Views:

2888

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.