Environment

• App Control Agent: All Supported Versions
• Microsoft Windows: All Supported Versions

Symptoms

• A file signed by a trusted publisher is blocked
• Block events state: "IneligibleForAppoval: CounterChainIdx[X] CertId[XX]"
• Block events state: "ValidationError[ErrorsListedHere}"

Cause

• The publisher listed on the certificate is different from the publisher that is trusted in the console
• The file isn't signed
• Windows was not able to verify the certificate
• Crypt32 is defective or unable to check for certificate revocation
• Timing issue with publisher approval

Resolution

1. Confirm if the file is signed and if the correct publisher is approved
   1. In the block event, click onto the hash in the "description" column
   2. "File Details" screen will open
   3. Under "File Properties" confirm publisher, publisher state, certificate, certificate global state
      • If there is no publisher or certificate listed, the file is not signed and is not eligible for publisher approval
   4. Click the hyperlinked name of the publisher
   5. Confirm the state is approved and that it applies to the correct policy
2. Confirm the OS sees the file as properly signed
   1. Open an admin CMD prompt on the device.
   2. Run the command:

      Get-AuthenticodeSignature -FilePath "<FullPathToFile>" | Format-List

      • If there is a signature error: The App Control agent will also believe the signature is invalid as we rely on the OS for this information. A list of Microsoft error codes can be found here - CERT_TRUST_STATUS structure
      • If there is no signature error: Continue to step 4.
3. Confirm if the OS is having issues updating its certificate store:
   1. Login to the endpoint experiencing the blocks
   2. Go to Start > Run > type in eventvwr
   3. Event Viewer will open
   4. In the left hand pane, expand Windows Logs
   5. Check for crypt32 and CAPI2 errors
4. Determine what error the App Control agent has for the file :
   1. In the block event, check for errors such as "IneligibleForAppoval" and "ValidationError"
   2. Run commands

      cd "c:\Program Files (x86)\Bit9\Parity Agent"
      dascli password <CliPassword>
      dascli find <FullPathToFile>
      dascli certinfo <FullPathToFile> 0 user 
      dascli certinfo <FullPathToFile> 0 machine

5. If the OS says the file is invalid, and App Control does not. This may because the file was written, and executed before the App Control agent had a chance to process the certificates and approval. 
   1. To manually re-evaluate run commands:

      cd "c:\Program Files (x86)\Bit9\Parity Agent"
      dascli password <CliPassword>
      dascli validatecerts

   2. Check the status again:

      dascli find <FullPathToFile>
      dascli certinfo <FullPathToFile> 0 user 
      dascli certinfo <FullPathToFile> 0 machine

6. If the issue still persist, please contact Support and provide:
   • An export of the file events from the console (New unapproved File, Execution Block)
   • An export of the event viewer logs - How-to-Collect-Event-Viewer-logs
   • The results of the commands from steps 2, 4, and 5.
   • Agent logs - How to Collect Historical Agent Logs on Windows (Locally)

Additional Notes

1. Navigate to Assets > Computers
2. Select the View Details button for the endpoint in question
3. On the right side of the page, click the Perform Cache Consistency Check option
4. Select the level of depth for the scan 'Rescan known files ' and "Re-evaluate publishers" option
5. Click Go