Publisher identification and approval of files by publisher approval are based on digital certificates.
It is important to distinguish between approval of a publisher and approval of a file that is identified as being from that publisher. You can approve any publisher that appears on the Publishers tab of the Software Rules page. A publisher displays in this list if a file had a certificate identifying the publisher and the signature was considered valid by Windows.
However, a file identified as being from this publisher can be approved by publisher only if all certificates in the certificate chain for that file are considered valid by Windows. For example, current root certificates must be installed for a certificate to be accepted.
All certificates in the chain for a file must meet additional Carbon Black App Control requirements. These settings are configurable on the Advanced Options tab of the System Configuration page. Keep the following in mind about these certificate settings:
- It is best to set certificate configuration options before generating the agent installation packages (that is, as soon as possible after installing Carbon Black App Control Server). This assures that all agents, including those disconnected from the server, handle certificates appropriately. In addition, changing certificate settings after the agent is installed requires re-evaluation of certificates to occur on each agent. Having these settings correct before deploying the agent avoids a significant amount of processing.
- Changing any of the configurable certificate settings does not remove local approval of files whose certificates met the previous settings and were approved by publisher.
- Changing certificate settings can affect the tracking and inventory of Microsoft Support Files. See Changes that Affect OS Inventory Tracking.