Windows XP and Server 2003 lack the necessary certificates (both root and intermediate) to validate the timestamps in the signature that Carbon Black uses.
To upgrade these operating systems to Carbon Black App Control agent version 8.7.4 of the App Control agent customers must perform one of the following tasks.
Option 1: Import the Missing Certificates Into the Computer Certificate Store
You can download the necessary certificates from https://community.carbonblack.com/t5/Documentation-Downloads/App-Control-Windows-Agent-Digicert-Timestamp/ta-p/112610.
Install the certificates on your machines directly using MMC with the Certificates snap-in, or use GPO. The root certificate should be imported to the Trusted Root Certification Authorities store. The intermediate certificate should go to the Intermediate Certification Authorities store. These should be imported at the machine level as opposed to the user level.
Option 2: Explicitly Trust the Timestamping Publisher
Another option is to trust the timestamping certificate. This can be a bit challenging because it requires querying the database for the correct id. Full instructions can be found on this document: https://community.carbonblack.com/t5/App-Control-Discussions/Ineligible-for-Approval-CERT-TRUST-IS-PARTIAL-CHAIN/m-p/68553/thread-id/6292.
Option 3: Use the ignore_partial_chain_on_countersignatures config prop
Agents can be configured to ignore the missing countersignatures. This allows approval by publisher for files that have valid code signing chains, while ignoring errors on the counter signing chain.
Details on how to configure this can be found here:
