Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: How to Ignore Counter Chain Cert Errors

App Control: How to Ignore Counter Chain Cert Errors


  • App Control Server: All Supported Versions
  • App Control Agent: All Supported Versions


Instruct the Agent to ignore Partial Certificate Chain errors on the Counter Signature Chain, and rely solely on the Certificate Chain used by the Publisher for the Code Signing Chain. 


Warning: This configuration triggers a CC check on all agents at the same time which may cause performance impact
A best practice would be to apply the config to one or several policies first and then add more policies over time
  1. Login to the Console and navigate to: https://YourServerAddress/agent_config.php
  2. Choose: Show Filters > Add Filter > Value > contains: ignore_partial_chain_on_countersignatures
  3. Click the pencil icon on the resulting Agent Config and change the Value to: ignore_partial_chain_on_countersignatures=1
  4. Click Save
  5. Allow the agents some time to receive the updated CL Version and to run a CC check to approve the files that were previously signed by trusted publisher, but their approvals failed due to countersignature error

Additional Notes

  • Note: This setting will require the Agent to run a Cache Consistency Check so existing files can be analyzed and issued Approvals according to the new setting.
  • In order to maintain the highest security posture, Carbon Black strongly recommends pushing out the missing certificates in the chain, as described here.
  • Although this setting is not recommend, it's been created to help facilitate Publisher Approvals in environments where the Counter Certificate Chain is incomplete and can not easily be fixed.
  • This Agent Config was made available with the release of Server & Agent version 8.1.4.

Related Content

Labels (1)
Tags (2)
Was this article helpful? Yes No
50% helpful (1/2)
Article Information
Creation Date: