Environment
- App Control Agent: All Supported Versions
- Microsoft Windows: All Supported Versions
Symptoms
- A file signed by a trusted publisher is blocked
- Block events state: "IneligibleForAppoval: CounterChainIdx[X] CertId[XX]"
- Block events state: "ValidationError[ErrorsListedHere}"
Cause
Possible causes:
- The publisher listed on the certificate is different from the publisher that is trusted in the console
- The file isn't signed
- Windows was not able to verify the certificate
- Crypt32 is defective or unable to check for certificate revocation
- Timing issue with publisher approval
Resolution
- Confirm if the file is signed and if the correct publisher is approved
- In the block event, click onto the hash in the "description" column
- "File Details" screen will open
- Under "File Properties" confirm publisher, publisher state, certificate, certificate global state
- If there is no publisher or certificate listed, the file is not signed and is not eligible for publisher approval
- Click the hyperlinked name of the publisher
- Confirm the state is approved and that it applies to the correct policy
- Confirm the OS sees the file as properly signed
- Open an admin CMD prompt on the device.
- Run the command:
Get-AuthenticodeSignature -FilePath "<FullPathToFile>" | Format-List
- If there is a signature error: The App Control agent will also believe the signature is invalid as we rely on the OS for this information. A list of Microsoft error codes can be found here - CERT_TRUST_STATUS structure
- If there is no signature error: Continue to step 4.
- Confirm if the OS is having issues updating its certificate store:
- Login to the endpoint experiencing the blocks
- Go to Start > Run > type in eventvwr
- Event Viewer will open
- In the left hand pane, expand Windows Logs
- Check for crypt32 and CAPI2 errors
- Determine what error the App Control agent has for the file :
- In the block event, check for errors such as "IneligibleForAppoval" and "ValidationError"
- Run commands
cd "c:\Program Files (x86)\Bit9\Parity Agent"
dascli password <CliPassword>
dascli find <FullPathToFile>
dascli certinfo <FullPathToFile> 0 user
dascli certinfo <FullPathToFile> 0 machine
- If the OS says the file is invalid, and App Control does not. This may because the file was written, and executed before the App Control agent had a chance to process the certificates and approval.
- To manually re-evaluate run commands:
cd "c:\Program Files (x86)\Bit9\Parity Agent"
dascli password <CliPassword>
dascli validatecerts
- Check the status again:
dascli find <FullPathToFile>
dascli certinfo <FullPathToFile> 0 user
dascli certinfo <FullPathToFile> 0 machine
- If the issue still persist, please contact Support and provide:
Additional Notes
A cache consistency check will also cause the agent to re-evaluate the certificates.
- Navigate to Assets > Computers
- Select the View Details button for the endpoint in question
- On the right side of the page, click the Perform Cache Consistency Check option
- Select the level of depth for the scan 'Rescan known files ' and "Re-evaluate publishers" option
- Click Go