Carbon Black App Control provides the ability to approve or ban a publisher by its name, as identified in a certificate.

Files signed with certificates whose publisher name matches an approved publisher are approved unless banned by some other rule; files with certificates whose publisher name matches a banned publisher are banned. All files with a given publisher name in their certificate are affected by that publisher’s state as defined on your Carbon Black App Control Server. These rules are described in Approving or Banning by Publisher.

The certificate management features described in this chapter add another layer of security and information to publisher approvals. While publisher names in certificates are not controlled by any central authority, certificates themselves are. A certificate identifies an individual, a server, a company, or other entity, and associates that identity with a public key. It provides generally recognized proof of identity based on public-key cryptography. Only the public key certified by the certificate will work with the corresponding private key possessed by the entity identified by the certificate; in this case, the entity is a file.

File-signing certificates are the final link in chains or paths of certificates. There is a root certificate, which identifies the entity that conferred the initial trust. That certificate might be used to sign an intermediary certificate, which then confers its trust to the final leaf certificate that specifically identifies the file. There can be more than one intermediary certificate in a path.

The Carbon Black App Control Agent reports all identifiable, valid certificates in the path of trust for signed files it discovers. Any certificate in the path of the signing certificate can be approved or banned. When a certificate is assigned a state of Approved or Banned (or left as Unapproved), that state applies only for a specific publisher of a leaf certificate. If the same certificate happens to appear in the certificate chain for a file signed by a different publisher, a separate certificate approval or ban is needed to affect that file.

Note:

In late 2013, Microsoft published security bulletin MS13-098 describing a flaw in the Authenticode signature verification that could allow remote code execution. In response, Microsoft announced availability of an update for all supported releases of Microsoft Windows to change how signatures are verified for binaries signed with the Windows Authenticode signature format.

If this change is enabled, Windows Authenticode signature verification will no longer allow extraneous information in the WIN_CERTIFICATE structure, and Windows will no longer recognize non-compliant binaries as signed. Activation of this new behavior could cause files previously approved by publisher to block on App Control-managed systems.

The change is included with Security Bulletin MS13-098, but (as of July 2014) will only be enabled on an opt-in basis. However, Microsoft states that it may make this a default behavior in a future release of Microsoft Windows.

See https://technet.microsoft.com/library/security/2915720 for more information on this change.

Summary of Certificate Management Features

Carbon Black App Control Certificate Management includes the following specific features:

  • In the console menu, you choose Assets > Certificates to open the Certificates table page. The Certificates table shows all leaf certificates that have been used to validly sign or cosign files found on agent-managed computers, plus all certificates in the paths for those leaf certificates.
  • Clicking on the View Details button next to a certificate in the table opens the Certificate Details page for that certificate. The Certificate Details page shows complete details for one certificate and has links to Related Views relevant to the certificate, such as a table of all files signed by the certificate.
  • The Publisher Details page for each publisher includes an All Certificates for This Publisher panel. This panel shows all certificates that have this publisher name as the CN portion of the certificate Subject Name. It also shows the approval/ban state for each certificate in the certificate path for leaf certificates associated with that publisher, and allows you to add or remove approvals or bans for each certificate.
  • Certificate-related fields are included on File Details and File Instance Details pages.
  • On the Advanced Options tab of the System Configuration page, the Certificate Options panel includes settings that determine what requirements (such as key length and algorithm) a certificate must meet if it is to be used for approving files. You can configure rules that enable the agents to do their own certificate revocation checks.
  • Regardless of whether agent-based certificate revocation checks are enabled, the Carbon Black App Control Server validates certificates in its inventory on a recurring basis to make sure that they have not been revoked. This validation generally occurs on a weekly basis and involves downloading certificate revocation lists (CRLs) from registration authorities or making Online Certificate Status Protocol (OCSP) calls to OCSP responders. If you are monitoring network traffic, keep in mind that these downloads might involve a variety of sites in a variety of countries. Currently, only agent-based revocation information affects enforcement of rules. Server-based validation checks are provided to inform administrators when the status a certificate changes, but they do not affect enforcement of rules. Enable agent-based revocation checks if you want revocations to affect rule behavior.
  • Certificate-related Events and Alerts may appear when triggering conditions occur.