Environment
- App Control Console: All Supported Versions
- App Control Server: All Supported Versions
- Microsoft SQL Server Management Studio: All Supported Versions
Objective
How to query the App Control database (DAS) to identify Publisher & Certificate information related to Block Events due to: IneligibleForApproval: CounterChainIdx.
Resolution
- Collect the File Name and the full File Hash from the relevant Block Event. This can be done with the Columns, "File Name" and "File Hash".
- Login to the application server as the Carbon Black Service Account.
- Launch Microsoft SQL Server Management Studio and choose the option to connect to the SQL Server hosting the DAS database using the Authentication: Windows Authentication.
- Click New Query and execute the following query:
use das;
select * from dbo.filenames with (nolock) where filename like '%BlockedFile.exe%';
- Note the filename_id returned and use it in place of AAAA in the next query, and use the Hash value from the Block Event in place of BBBB
select timestamp_cert_id, hash from dbo.antibodies with (nolock) where filename_id = 'AAAA' AND hash = 'BBBB';
- Note the timestamp_cert_id and use it in place of CCCC in the next query:
select publisher_id, subject_name, serial_number, thumbprint, valid_from, valid_to from dbo.certificates with (nolock) where cert_id = 'CCCC';
- This should return a single result containing the information of the Certificate that caused the Block Event.
Additional Notes
- The publisher_id can be used in place of ZZZZ to change the Certificate State to Approved via the Console: https://ServerAddress/publisher-details.php?publisher_id=ZZZZ
- The Agent relies on the Windows Cryptographic API to validate these certificates. The error returned is provided by this API.
- An extended discussion regarding these queries, and the reasons behind them, can be found in the Community Discussion here.
- See the Related Content for additional articles to help with troubleshooting Publisher Approval issues.
Related Content