Environment

• App Control (Formerly CB Protection) Agent: All Versions
• Microsoft Windows: All Supported Versions

Symptoms

• Publisher is approved, however file is not approved as expected
• Event shows file is IneligibleForApproval
• Sample description from event seen in console:

DiscoveredBy[Kernel:Execute] FileCreated[11/2/2017 5:02:56 PM]
Discovered[7/27/2018 6:34:29 PM (Hash: 4/30/2018 3:13:53 PM)]
Publisher[TIBCO Software Inc (IneligibleForAppoval: CounterChainIdx[1] CertId[220]
Validation[01010040:CERT_TRUST_REVOCATION_STATUS_UNKNOWN:CERT_TRUST_IS_PARTIAL_CHAIN:CERT_TRUST_IS_OFFLINE_REVOCATION])]

Cause

• One of the certificates in the approval chain are missing from the endpoint.
• This is seen by the error:   CERT_TRUST_IS_PARTIAL_CHAIN 
• Expired certificate in certificate chain

Resolution

In the message above, we can see that the counter signature of the file is the one with the issue, by this text:
CounterChainIdx[1] CertId[220]
 

To get more details on the missing part of the cert chain:

1. Log into endpoint reporting issue
2. Open an elevated command prompt
3. Run following commands:
   1. cd \program files (x86)\bit9\parity agent
   2. dascli password <Agent_CLI_password>
   3. dascli certchain 220

Breaking the result down into two important lines:

CertId[220] Parent[0] Publisher[Symantec SHA256 TimeStamping Signer - G2]
Issuer[Symantec SHA256 TimeStamping CA] 

We can see the Publisher, along with the cert ID of 220, however, the Parent shows '0', indicating the Parent of this certificate does not exist on the endpoint.
The Parent cert, or root cert, is listed as the Issuer.

To resolve issue this certificate needs to be added to the certificate store on the endpoint. 

Additional Notes

• In some rare cases, if after the missing certificate has been added to the local machine you are still seeing blocks, you may need to run the following commands to force the agent to re-evaluate all the certificates on the endpoint: App Control: Is There An Option to Trigger 'dascli validatecerts' From the Console?
• You will often find that a root or intermediate certificate can be found in the local user certificate store but not in the machine store.  Note that the agent exclusively uses the machine store and not the per-user store for security concerns. 
• If you are seeing the CERT_TRUST_IS_PARTIAL_CHAIN error you can check whether the certificate exists in the local user store by issuing the following commands: 

dascli certinfo "<filename>" 0 user
dascli certinfo "<filename>" 0 machine

Example:
dascli certinfo "c:\test_file.exe" 0 user
dascli certinfo "c:\test_file.exe" 0 machine

• Using the 'mmc' Certificates snap-in utility, locate the certificate in the user store and export/import it to the machine store.
• Reference following write up on the issue and how to resolve in this post: https://community.carbonblack.com/t5/CB-Protection-Discussion/Ineligible-for-Approval-CERT-TRUST-IS-...

Related Content