Environment
- App Control Console: All Supported Versions
- App Control Agent: All Supported Versions
Symptoms
Execution Block Events for signed files from an Approved Publisher contain a Description similar to:
Publisher[Microsoft (IneligibleForApproval: ChainIdx[1] CertId[123] ValidationError[...CERT_TRUST_IS_REVOKED:CERT_TRUST_IS_UNTRUSTED_ROOT:CERT_TRUST_IS_EXPLICIT_DISTRUST...
Cause
- Trust for a certificate in the certificate chain has been revoked by the issuing certificate authority.
- The signed file is ineligible to be approved via Publisher Approval and subsequently blocked as an Unapproved file.
Resolution
An alternative Approval Method will need to be used, such as a Global Approval of the hash or a Custom Rule to allow the execution.
Additional Notes
- A revoked certificate indicates it is invalid or compromised and should not be relied upon to determine a file's validity.
- Signed files are only Approved if all certificates on the code-signing and countersigning chain can be validated.
- Certificate validation is performed at the OS-level by the Cryptographic API on Microsoft Windows.
Related Content