Access official resources from Carbon Black experts
Cb Protection All versions
Files signed by globally approved Publisher are being blocked for Execution.
Running 'dascli find <filename>' reports 'CERT_TRUST_IS_PARTIAL_CHAIN' with counter chain of file:
Referenced 'CertID' will also show a Parent certificate of 0. As shown here there is no 'Parent' or root certificate for 'Starfield Timestamp Authority - G2':
Ineligible Reasons[CounterChainIdx[1] CertId[256] ValidationError[00010000:CERT_TRUST_IS_PARTIAL_CHAIN]]
CounterSigner:
CertId[256] Parent[0] Publisher[Starfield Timestamp Authority - G2]
The 'CERT_TRUST_IS_PARTIAL_CHAIN' message typically indicates the root or intermediate certificate within the chain is not present in the certificate store the agent checks. In most case we'll find that a root or intermediate certificate can be found in the local user certificate store but not in the machine store, note that the agent exclusively uses the machine store and not the per-user store for security concerns.
The following commands can be used to determine if there's a difference with the certificates in the User/Machine certificate stores:
dascli certinfo <filename> 0 user
dascli certinfo <filename> 0 machine
Using the Microsoft 'mmc' utility, open File-> Add/Remove Snap-in..., select Certificates then 'Add'. Locate the appropriate certificate in the User store, then export/import the certificate to the Machine store.
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.