Background

Most digitally signed files carry both content signatures that verify that the content has not been tampered with, and a separate counter signature to verify when the file was signed.

For these files, even if the code signing certificate has expired, files signed within the validity range of the code signing certificate remains valid in terms of expiration because the counter signature timestamp allows verification that the file was signed during the certificate's valid lifetime.

Rare files that lack a counter signature/timestamp are no longer be considered valid after the certificate expires because you can no longer determine whether the file was signed during the certificate's validity period.

Certificate Revocation is a separate concept from expiration. Revocation is used to state that a previously valid certificate is no longer trustworthy, and is not trusted even if the validity time range has not expired.

How Expired Certs are Handled in Carbon Black Cloud

Carbon Black Cloud examines the file signature validity only when Carbon Black Cloud first discovers the hash. This methodology can lead to the following edge cases:

• If a non-timestamped hash was found on Machine 1 when its certificate was valid, and found by Machine 2 when it was expired, machine 1 continues to treat the file as eligible for certificate approval. Machine 2 does not treat the file as eligible, because Machine 2 first detected it as invalid/expired; Machine 1 initially saw it as valid.
  Note: This does not apply for timestamped files because you can verify if the file was signed during the validity range.
• If a hash was discovered before a certificate was known to be revoked, it could be approved and remains approved on that machine even if the certificate is found to be revoked later. New hashes signed by the revoked certificate that appear after sensor has realized the certificate is revoked are not approved by certificate approvals but can still be approved by other reputations.

In summary, certificate expiration and revocation can affect the reputation of new hashes that appear on a system but do not affect the hash reputation of existing hashes that are already on the asset. Machines can enforce certificate approval rules differently based on whether the certificate is expired, whether there is a counter signature, when the sensor determined that the certificate was revoked, or if different sensors have different trusted root certificate stores.