Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: Files Using Internal Publisher are Not Being Identified

EDR: Files Using Internal Publisher are Not Being Identified

Environment

  • EDR Windows Sensor: All

Symptoms

  • Binary/Process information may show publisher information missing or unavailable if the application is using an internal publisher.
  • For example, the following may be seen in the process document:
    • {"digsig_result": "Signed", "digsig_publisher": "n/a"}

Cause

  • The sensor uses the Windows WinVerifyTrust function to ask the OS if the file is signed. 

Resolution

  • Because the sensor uses Windows WinVerifyTrust function to check the signature status of the file, it is suggested to verify the status of the file's signature/publisher using a utility such as sigcheck.exe from Sysinternals.

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎12-27-2018
Views:
358
Contributors