Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: CERT_TRUST_IS_REVOKED Causing Blocks for Signed Files

App Control: CERT_TRUST_IS_REVOKED Causing Blocks for Signed Files


  • App Control Console: All Supported Versions
  • App Control Agent: All Supported Versions


Execution Block Events for signed files from an Approved Publisher contain a Description similar to:
Publisher[Microsoft (IneligibleForApproval: ChainIdx[1] CertId[123] ValidationError[...CERT_TRUST_IS_REVOKED:CERT_TRUST_IS_UNTRUSTED_ROOT:CERT_TRUST_IS_EXPLICIT_DISTRUST...


  • Trust for a certificate in the certificate chain has been revoked by the issuing certificate authority.
  • The signed file is ineligible to be approved via Publisher Approval and subsequently blocked as an Unapproved file.


An alternative Approval Method will need to be used, such as a Global Approval of the hash or a Custom Rule to allow the execution.

Additional Notes

  • A revoked certificate indicates it is invalid or compromised and should not be relied upon to determine a file's validity.
  • Signed files are only Approved if all certificates on the code-signing and countersigning chain can be validated.
  • Certificate validation is performed at the OS-level by the Cryptographic API on Microsoft Windows.

Related Content

Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Creation Date: