Environment

• App Control Agent: All Supported Versions
• Microsoft Windows: All Supported Versions

Symptoms

• A file signed by a trusted publisher is blocked
• Block events state: "IneligibleForAppoval: CounterChainIdx[X] CertId[XX]"
• Block events state: "ValidationError[ErrorsListedHere}"

Cause

• The publisher listed on the certificate is different from the publisher that is trusted in the console
• The file isn't signed
• Windows was not able to verify the certificate
• The content of the file was edited. After being edited, the file’s certificate signature is no longer valid.
• The certificate associated with the file has expired
• Crypt32 is defective or unable to check for certificate revocation

Resolution

1. Confirm if the file is signed and if the correct publisher is approved
   1. In the block event, click onto the hash in the "description" column
   2. "File Details" screen will open
   3. Under "File Properties" confirm publisher, publisher state, certificate, certificate global state
      • If there is no publisher or certificate listed, the file is not signed and is not eligible for publisher approval
   4. Click the hyperlinked name of the publisher
   5. Confirm the state is approved and that it applies to the correct policy
2. Confirm the validity of the file:
   1. In the block event, check for errors such as "IneligibleForAppoval" and "ValidationError"
   2. To gather more certificate details:
      1. Login to the agent experiencing the block
      2. Open an admin CMD prompt
      3. Run commands:

         cd "c:\Program Files (x86)\Bit9\Parity Agent"
         dascli password <CliPassword>
         dascli find <FullPathToFile>
         dascli certinfo <FullPathToFile> 0 user 
         dascli certinfo <FullPathToFile> 0 machine
         signtool verify <FullPathtoFile>
         

3. Check for crypt32 errors:
   1. Login to the endpoint experiencing the blocks
   2. Go to Start > Run > type in eventvwr
   3. Event Viewer will open
   4. In the left hand pane, expand Windows Logs
   5. Check for errors regarding crypt32
4. Re-evaluate the Certificate information applying a Performace Cache Consistency
   1. Navigate to Assets > Computers
   2. Select the View Details button for the endpoint in question
   3. On the right side of the page, click the Perform Cache Consistency Check option
   4. Select the level of depth for the scan 'Rescan known files ' and "Re-evaluate publishers" option
   5. Click Go

Additional Notes

Related Content

• For more information on specific errors:
  • CERT_TRUST_STATUS (wincrypt.h) - Win32 apps
• Cb Protection: Files signed by globally approved Publisher are being blocked for Execution. 'CERT_TRUST_IS_PARTIAL_CHAIN' reported with counter chain of file.
• Cb Protection: File Block Shows "IneligibleForApproval", "CERT_TRUST_IS_PARTIAL_CHAIN"
• CB Protection: How To Perform A Cache Consistency Check