Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: How To Use Windows CAPI2 Logs To Verify Partial Chain Errors

App Control: How To Use Windows CAPI2 Logs To Verify Partial Chain Errors

Environment

  • App Control Agent: All Supported Versions
  • Microsoft Windows: All Supported Versions

Objective

How to use Windows CAPI2 logging to verify Partial Chain Errors

Resolution

  1. Enable CAPI2 Logging: Event Viewer > Applications and Services > Microsoft > Windows > CAPI2 > right click Operational > select "Enable Log".
  2. In a command prompt, trigger the Agent's validation task that queries Crypto API by running the following:
    "C:\Program Files (x86)\Bit9\Parity Agent\DasCLI.exe" validatecerts
  3. Once the command completes, in the Event Viewer > right click Operational > select "Disable Log".
    Note: If a copy was requested by Support, right click Operational > Save All Events As... > relevant location > Display information for these languages > English
  4. Search for Partial Chain Error events by adding filters:
    Event level: Error
    Event ID: 11
    Task Category: Build Chain
  5. Open the partial chain event for the specific certificate and scroll to the "Certificate Chain" section, for example:
    - Certificate
    [ fileRef] 0325BD505EDA96302DC22F4FA01E4C28BE2834C5.cer
    [ subjectName] TIMESTAMP-SHA256-2019-10-15
    ...
    - CertificateChain
    - ErrorStatus
    [ value] 1010040
    [ CERT_TRUST_REVOCATION_STATUS_UNKNOWN] true
    [ CERT_TRUST_IS_OFFLINE_REVOCATION] true
    [ CERT_TRUST_IS_PARTIAL_CHAIN] true

Additional Notes

It is recommended to coordinate this logging with extra logging at the network/firewall/proxy level to determine what changes may be necessary to allow this communication.

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
4904
Contributors