logo

Knowledge Base

Access official resources from Carbon Black experts

Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: Publisher Approval of Microsoft Files Fails Due to CERT_TRUST_IS_NOT_SIGNATURE_VALID

App Control: Publisher Approval of Microsoft Files Fails Due to CERT_TRUST_IS_NOT_SIGNATURE_VALID

Environment

  • App Control Agent: All Supported Versions
  • Microsoft Windows: All Supported Versions

Symptoms

  • Microsoft is an approved publisher, but newly created files are not getting approved.
  • Block Events similar to: 
    Execution block (unapproved file) File 'test.exe' [...] was blocked because it was unapproved.
Publisher[Microsoft Corporation (IneligibleForApproval: CounterChainIdx[1] CertId[499] 
ValidationError[01000048:CERT_TRUST_IS_NOT_SIGNATURE_VALID:CERT_TRUST_REVOCATION_STATUS_UNKNOWN:CERT_TRUST_IS_OFFLINE_REVOCATION])]

Cause

  • The issue is with the countersignature certificate chain and this is indicated with this portion of the Block Event: 
    IneligibleForApproval: CounterChainIdx[1]
  • The full validation error returned by Windows Crypto API: 
    ValidationError[01000048:CERT_TRUST_IS_NOT_SIGNATURE_VALID:CERT_TRUST_REVOCATION_STATUS_UNKNOWN:CERT_TRUST_IS_OFFLINE_REVOCATION])]
  • The Publisher Approval will fail due to the CERT_TRUST_IS_NOT_SIGNATURE_VALID portion.
  • CERT_TRUST_IS_NOT_SIGNATURE_VALID happens when there is an older version of the Intermediate Certificate "Microsoft Time-Stamp PCA 2010" in the endpoint's local certificate store, and the new version of the cert is not present or it cannot be downloaded due to network restrictions.
  • A Block Event will be enforced, even if Ignore Counter Chain Errors feature is enabled. This is due to the additional, CERT_TRUST_IS_NOT_SIGNATURE_VALID error.

Resolution

As this is a failure on the endpoint, options for remediation via the App Control Console alone is limited. It may be possible to prevent this by either:

Additional Notes

  • The App Control agent has no control of the Certificate Validation Errors returned by Windows Crypto API, for more information how those errors are generated please check this KB.
  • Microsoft has a known issue with its counter signature Intermediate certificate "Microsoft Time-Stamp PCA 2010", please contact them for details.

Related Content


Labels (1)
Labels:
Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
CB_Support
Creation Date:
‎01-07-2022
Views:
3363
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.