Environment
- Carbon Black Cloud Console: All Versions
- Endpoint Standard
- Enterprise EDR
- Carbon Black Cloud Sensor: 3.x - 3.6.0.1979
Symptoms
- Search for process_publisher_state:FILE_SIGNATURE_STATE_NOT_SIGNED shows files that are signed
- Binary Details shows file is signed
Cause
Known issue with catalog signed files (DSEN-12143).
Resolution
Upgrade to 3.6.0.2076+ where this issue has been corrected
Additional Notes
https://community.carbonblack.com/t5/Carbon-Black-Cloud-Windows/tkb-p/release_notes_windows
- Some recent Windows Updates resulted in Microsoft OS files being delivered before their external catalog that is used to verify their digital signature was registered. This resulted in the files appearing as not signed on first inspection, which could lead to tamper protection blocks and user visible errors when launching repux. The CB sensor now reinspects operating system files that appear unsigned to reverify their digital signature and avoid the tamper blocks.