Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: How to Approve Certificates With Counter Chain Errors

App Control: How to Approve Certificates With Counter Chain Errors

Environment

  • App Control Console:  All Supported Versions
  • Microsoft SQL Server: All Supported Versions

Symptoms

  • Block Events for files from a Publisher that was set to Approved contain a Description similar to:
    Publisher[Microsoft (IneligibleForApproval: CounterChainIdx[1] CertId[123] ValidationError[...CERT_TRUST_IS_PARTIAL_CHAIN:CERT_TRUST_IS_NOT_SIGNATURE_VALID:CERT_TRUST_IS_OFFLINE_REVOCATION...

Cause

  • The App Control Agent requires validation of both the Code Signing (File Publisher) and the Counter Signature (Timestamping) certificates for successful Publisher Approval of a file
  • This validation process works by querying Windows Cryptographic API and there could be many reasons why Windows Crypto API would return errors

Resolution

  • App Control Server 8.10 introduced the ability to find and approve the counter signature from the console.
  • In 8.9 and below it's not possible to search & find the Counter Signature info via the Console, and a query of the database is needed.
 
  1. Log in to the application server hosting the App Control Console as the Carbon Black Service Account.
  2. Launch SQL Server Management Studio and using the SHA256 hash from the Block Event, execute the following query(replacing 'SHA256HERE' with the actual hash):
    use das; 
    select publisher_id, subject_name, serial_number, thumbprint, valid_from, valid_to from dbo.certificates (nolock) 
    where cert_id in (select timestamp_cert_id from dbo.antibodies with (nolock) where hash = 'SHA256HERE');
  3. This should return a single row containing the Publisher ID and information for the certificate that caused the block event
  4. Using the Publisher_Id update then navigate to the following URL:
    https://ServerAddress/publisher-details.php?publisher_id=XXXX
  5. On the Publisher Details expand All Certificates and search for the certificate using the information from Step 2
  6. Select the checkbox of the certificate > Action > Approve Certificates

Additional Notes


Related Content


Labels (1)
Was this article helpful? Yes No
67% helpful (2/3)
Article Information
Author:
Creation Date:
‎01-25-2019
Views:
10108
Contributors