logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Carbon Black Cloud: Search for process_publisher_state:FILE_SIGNATURE_STATE_NOT_SIGNED Shows Signed Files

Carbon Black Cloud: Search for process_publisher_state:FILE_SIGNATURE_STATE_NOT_SIGNED Shows Signed Files

Environment

  • Carbon Black Cloud Console: All Versions
    • Endpoint Standard
    • Enterprise EDR
  • Carbon Black Cloud Sensor: 3.x - 3.6.0.1979

Symptoms

  • Search for process_publisher_state:FILE_SIGNATURE_STATE_NOT_SIGNED shows files that are signed
  • Binary Details shows file is signed

Cause

Known issue with catalog signed files (DSEN-12143).

Resolution

Upgrade to 3.6.0.2076+ where this issue has been corrected

Additional Notes

https://community.carbonblack.com/t5/Carbon-Black-Cloud-Windows/tkb-p/release_notes_windows
  • Some recent Windows Updates resulted in Microsoft OS files being delivered before their external catalog that is used to verify their digital signature was registered. This resulted in the files appearing as not signed on first inspection, which could lead to tamper protection blocks and user visible errors when launching repux. The CB sensor now reinspects operating system files that appear unsigned to reverify their digital signature and avoid the tamper blocks.

Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎11-16-2021
Views:
533
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.