Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Cb Protection: Files signed by globally approved Publisher are being blocked for Execution. 'CERT_TRUST_IS_PARTIAL_CHAIN' reported with counter chain of file.

Cb Protection: Files signed by globally approved Publisher are being blocked for Execution. 'CERT_TRUST_IS_PARTIAL_CHAIN' reported with counter chain of file.

Environment

Cb Protection All versions

Symptoms

Files signed by globally approved Publisher are being blocked for Execution.


Running 'dascli find <filename>' reports 'CERT_TRUST_IS_PARTIAL_CHAIN'  with counter chain of file:

Ineligible Reasons[CounterChainIdx[1] CertId[256] ValidationError[00010000:CERT_TRUST_IS_PARTIAL_CHAIN]]
Referenced 'CertID' will also show a Parent certificate of 0. As shown here there is no 'Parent' or root certificate for 'Starfield Timestamp Authority - G2':
CounterSigner:
CertId[256] Parent[0] Publisher[Starfield Timestamp Authority - G2]

Cause

The 'CERT_TRUST_IS_PARTIAL_CHAIN' message typically indicates the root or intermediate certificate within the chain is not present in the certificate store the agent checks.  In most case we'll find that a root or intermediate certificate can be found in the local user certificate store but not in the machine store, note that the agent exclusively uses the machine store and not the per-user store for security concerns.

The following commands can be used to determine if there's a difference with the certificates in the User/Machine certificate stores:

dascli certinfo <filename> 0 user

dascli certinfo <filename> 0 machine

Resolution

Using the Microsoft 'mmc' utility, open File-> Add/Remove Snap-in..., select Certificates then 'Add'. Locate the appropriate certificate in the User store, then export/import the certificate to the Machine store.

Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎06-08-2018
Views:
4223
Contributors