Environment
- Carbon Black Cloud Web Console: All Versions
- Carbon Black Cloud Microsoft Windows Sensor: All Supported Versions
Question
Why are queries returning processes that have a trusted signature or a verified signature, when querying negation on process_publisher_state:FILE_SIGNATURE_STATE_TRUSTED
Answer
- Querying the negation of a process_publisher_state value, will return all states which does not equal that particular state.
- At this time, there are 10 different values for the state, so negating only one value means that the results will be for events in the other 9 states
Additional Notes
- The 10 process_publisher_state states are listed below:
- FILE_SIGNATURE_STATE_INVALID
- FILE_SIGNATURE_STATE_SIGNED
- FILE_SIGNATURE_STATE_VERIFIED
- FILE_SIGNATURE_STATE_NOT_SIGNED
- FILE_SIGNATURE_STATE_UNKNOWN
- FILE_SIGNATURE_STATE_CHAINED
- FILE_SIGNATURE_STATE_TRUSTED
- FILE_SIGNATURE_STATE_OS
- FILE_SIGNATURE_STATE_CATALOG_SIGNED
- UNRECOGNIZED
- Example:
Related Content