Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: Publisher approved files blocked due to CERT_TRUST_IS_NOT_SIGNATURE_VALID

App Control: Publisher approved files blocked due to CERT_TRUST_IS_NOT_SIGNATURE_VALID

Environment

App Control Agent: All Versions

Symptoms

  • Publisher is approved, but the file is not approved and blocked
  • Block events show:
    Execution block (unapproved file) File 'test.exe' [...] was blocked because it was unapproved.
    Publisher[Microsoft Corporation (IneligibleForApproval: CounterChainIdx[1] CertId[499] 
    ValidationError[01000048:CERT_TRUST_IS_NOT_SIGNATURE_VALID:CERT_TRUST_REVOCATION_STATUS_UNKNOWN:CERT_TRUST_IS_OFFLINE_REVOCATION])]

Cause

  • The issue is with the countersignature chain (timestamp certificate) this is indicated with:
    Publisher[Microsoft Corporation (IneligibleForApproval: CounterChainIdx[1]
  • Windows Crypto API returned the following Validation errors:
    ValidationError[01000048:CERT_TRUST_IS_NOT_SIGNATURE_VALID:CERT_TRUST_REVOCATION_STATUS_UNKNOWN:CERT_TRUST_IS_OFFLINE_REVOCATION])]
  • The publisher approval fails because of "CERT_TRUST_IS_NOT_SIGNATURE_VALID"; the App Control agent ignores "CERT_TRUST_REVOCATION_STATUS_UNKNOWN" and "CERT_TRUST_IS_OFFLINE_REVOCATION"
  • "CERT_TRUST_IS_NOT_SIGNATURE_VALID" typically happens when the Intermediate or the Root Certificates are missing or another version of those certificates exist in the Local Machine certificate store (certlm.msc)

Resolution

Please verify that the correct versions of the Intermediate and Root certificates are present on each endpoint prior file creation per this KB

Alternatively, approving the countersignature certificate in the console will resolve the blocks:
  1. On a system getting blocks use the "dascli find" command (requires authentication) to find the countersignature information:
    • "C:\Program Files (x86)\Bit9\Parity Agent\DasCLI.exe" find "C:\Users\Testuser\AppData\Desktop\test.exe"
      CounterSigner:
            CertId[474] Parent[470] Publisher[Microsoft Time-Stamp Service]
            Flags[00000002 (Microsoft)]
            CertHash[c42cf0a0136ea01f76c2c0b64b1661cf81d51b2bc2667c1836e733a46c9a9b58]
            PublisherHash[87adb956565d265d9e66c55a6e4f25c6]
            Serial[3300000187421666045cf3f48d000100000187]
            Issuer[Microsoft Time-Stamp PCA 2010]
            SHA1 Thumbprint[787793540428064486c2c66061ed7ffe831b83f3]
            MD5  Thumbprint[06fc66bfcfdeecba4b30bbd38f081e14]
            SignatureAlgorithm[sha256RSA] PublicKeySize[4096]
            ValidFrom[10/28/2021 7:27:39 PM] ValidTo[1/26/2023 7:27:39 PM]
            ValidationTime[1/7/2022 5:14:24 PM] ValidationError[01000048]
            DetailedError[CERT_TRUST_IS_NOT_SIGNATURE_VALID:CERT_TRUST_REVOCATION_STATUS_UNKNOWN:CERT_TRUST_IS_OFFLINE_REVOCATION]
      
  2. In SQL Server Management Studio, run the following query (replace the publisher hash with the one returned in step 1):
    • use das; select * from dbo.publishers where publisher_hash like '87adb956565d265d9e66c55a6e4f25c6'
  3. Suppose that returns '18'.  Then take that publisher_id and go to the following URL:
    • https://CBSERVER/publisher-details.php?publisher_id=18
  4. Replace CBSERVER above with the name of your server
  5. On the page that comes up, you'll be presented with some "publisher" info at the top of the page, and a list of certificates at the bottom.
  6. Next, you can either:
    • Approve only the Leaf certificates on the list > select the checkboxes > Action > Approve Certificates
    • Approve the individual certificate causing blocks:
      Add Filter > Certificate Id is: c42cf0a0136ea01f76c2c0b64b1661cf81d51b2bc2667c1836e733a46c9a9b58  (CertHash from step 1)

Additional Notes

  • The App Control agent has no control of the Certificate Validation Errors returned by Windows Crypto API, for more information how those errors are generated please check:
App Control: How to use Windows CAPI2 logs to verify Partial Chain Errors
  • Microsoft has a known issue with its counter intermediate certificate "Microsoft Time-Stamp PCA 2010" ("2aa752fe64c49abe82913c463529cf10ff2f04ee"). This will be fixed on their hotfix on 2022.7B (July second week).

Related Content


Labels (1)
Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎01-07-2022
Views:
961
Contributors