Environment

• App Control Agent: All Supported Versions
• App Control Server: All Supported Versions

Question

Answer

• The Agent is designed to utilize the Windows Cryptographic API to validate certificates used to sign files.
• Regardless of whether Agent-based certificate revocation checks are enabled, the App Control Server validates certificates in its inventory on a recurring basis to make sure they have not been revoked. This validation generally occurs on a weekly basis and involves downloading Certificate Revocation Lists (CRLs) from Registration Authorities, or making Online Certificate Status Protocol (OCSP) calls to OCSP responders.
• This communication by the Agent/Server will require the endpoint communicating with the Certificate Authority (CA).
• The URL and Port combination required for this communication is determined by the CA and specified in the CRL Distribution Point.

Additional Notes

• By default the Agent initiates a request to validate the certificates on the endpoint every 24 hours.
• If necessary, the Windows CAPI2 Logging can be configured to verify this is initiated by the Agent.
• If the endpoint is unable to complete these certificate verifications the Agent might block execution of software by Approved Publishers.
• More information on this can be found in the User Guide chapter, "Approving and Banning Software".

Related Content