Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: How to use Windows CAPI2 logs to verify Partial Chain Errors

App Control: How to use Windows CAPI2 logs to verify Partial Chain Errors

Environment

  • App Control: All Versions (Formerly CB Protection)
  • Microsoft Windows: All Supported Versions

Objective

How to use Windows CAPI2 logs to verify Partial Chain Errors

Resolution

  1. Enable CAPI2 logs: Event Viewer > Applications and Services > Microsoft > Windows > CAPI2 > Operational > select "Enable Log"
  2. In command prompt trigger the agent's validation task that queries Crypto API by running the following:
    "C:\Program Files (x86)\Bit9\Parity Agent\DasCLI.exe" validatecerts
  3. Stop logging by selecting "Disable Log" on right
  4. Search for Partial Chain Error events by adding filters:
    Event level: Error
    Event ID: 11
    Task Category: Build Chain
  5. Open the partial chain event for the specific certificate and scroll to the "Certificate Chain" section, for example:
    - Certificate
    [ fileRef] 0325BD505EDA96302DC22F4FA01E4C28BE2834C5.cer
    [ subjectName] TIMESTAMP-SHA256-2019-10-15
    ...
    - CertificateChain
    - ErrorStatus
    [ value] 1010040
    [ CERT_TRUST_REVOCATION_STATUS_UNKNOWN] true
    [ CERT_TRUST_IS_OFFLINE_REVOCATION] true
    [ CERT_TRUST_IS_PARTIAL_CHAIN] true

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
1900
Contributors