Access official resources from Carbon Black experts
DiscoveredBy[Kernel:Execute] FileCreated[11/2/2017 5:02:56 PM] Discovered[7/27/2018 6:34:29 PM (Hash: 4/30/2018 3:13:53 PM)] Publisher[TIBCO Software Inc (IneligibleForAppoval: CounterChainIdx[1] CertId[220] Validation[01010040:CERT_TRUST_REVOCATION_STATUS_UNKNOWN:CERT_TRUST_IS_PARTIAL_CHAIN:CERT_TRUST_IS_OFFLINE_REVOCATION])]
In the message above, we can see that the counter signature of the file is the one with the issue, by this text:
CounterChainIdx[1] CertId[220]
To get more details on the missing part of the cert chain:
Breaking the result down into two important lines:
CertId[220] Parent[0] Publisher[Symantec SHA256 TimeStamping Signer - G2]
Issuer[Symantec SHA256 TimeStamping CA]
We can see the Publisher, along with the cert ID of 220, however, the Parent shows '0', indicating the Parent of this certificate does not exist on the endpoint.
The Parent cert, or root cert, is listed as the Issuer.
To resolve issue this certificate needs to be added to the certificate store on the endpoint.
dascli certinfo "<filename>" 0 user dascli certinfo "<filename>" 0 machine Example: dascli certinfo "c:\test_file.exe" 0 user dascli certinfo "c:\test_file.exe" 0 machine
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.