Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: File Block Shows "IneligibleForApproval" due to CERT_TRUST_IS_PARTIAL_CHAIN

App Control: File Block Shows "IneligibleForApproval" due to CERT_TRUST_IS_PARTIAL_CHAIN

Environment

  • App Control (Formerly CB Protection) Agent: All Versions
  • Microsoft Windows: All Supported Versions

Symptoms

  • Publisher is approved, however file is not approved as expected
  • Event shows file is IneligibleForApproval
  • Sample description from event seen in console:
DiscoveredBy[Kernel:Execute] FileCreated[11/2/2017 5:02:56 PM]
Discovered[7/27/2018 6:34:29 PM (Hash: 4/30/2018 3:13:53 PM)]
Publisher[TIBCO Software Inc (IneligibleForAppoval: CounterChainIdx[1] CertId[220]
Validation[01010040:CERT_TRUST_REVOCATION_STATUS_UNKNOWN:CERT_TRUST_IS_PARTIAL_CHAIN:CERT_TRUST_IS_OFFLINE_REVOCATION])]

Cause

  • One of the certificates in the approval chain are missing from the endpoint.
  • This is seen by the error:   CERT_TRUST_IS_PARTIAL_CHAIN 
  • Expired certificate in certificate chain

Resolution

In the message above, we can see that the counter signature of the file is the one with the issue, by this text:
CounterChainIdx[1] CertId[220]
 

To get more details on the missing part of the cert chain:

  1. access the endpoint with the issue
  2. open an elevated command prompt
  3. run the following commands
 
> cd \program files (x86)\bit9\parity agent
> dascli password %YourCLIPassword%
> dascli certchain 220

The value of 220 here is based on the CertId[220] from the original block message



Breaking the result down in to two important lines:

CertId[220] Parent[0] Publisher[Symantec SHA256 TimeStamping Signer - G2]
Issuer[Symantec SHA256 TimeStamping CA]
 

We can see the publisher here listed here, along with the cert ID of 220.  However, parent shows 0, meaning the parent of this certificate does not exist on the endpoint.
The parent cert, or root cert, is listed as the Issuer.

To resolve, you'll need to add this certificate to the certificate store on the endpoint. 

 

    Additional Notes

    • In some rare cases, if after the missing certificate has been added to the local machine you are still seeing blocks, you may need to run the following commands to force the agent to re-evaluate all the certificates on the endpoint: CB Protection: Is there an option to trigger 'dascli validatecerts' from the console?
    • You will often find that a root or intermediate certificate can be found in the local user certificate store but not in the machine store.  Note that the agent exclusively uses the machine store and not the per-user store for security concerns. 
    • If you are seeing the CERT_TRUST_IS_PARTIAL_CHAIN error you can check whether the certificate exists in the local user store by issuing the following commands: 
    dascli certinfo <filename> 0 user
    dascli certinfo <filename> 0 machine
    
    Example:
    dascli certinfo "c:\test_file.exe" 0 user
    dascli certinfo "c:\test_file.exe" 0 machine

    Related Content


    Labels (1)
    Was this article helpful? Yes No
    50% helpful (2/4)
    Article Information
    Author:
    Creation Date:
    ‎11-20-2018
    Views:
    10031
    Contributors