Verifying signers and signatures

While checking the health of a resilient application A third party application that is actively monitored by the Secure Endpoint Agent. This feature is available only when the Application Resilience policy is activated on a Windows device. Depending on the configuration of this policy, the agent may be able to repair the application if it's non-compliant, or reinstall it if it's missing., the RAR component A lightweight software component of the Secure Endpoint Agent that detects the status of third party applications installed on a device. The component may also attempt to repair the third party application if it is non-compliant. The RAR component is deployed on a device only when the device is associated with a customized policy group and that policy group's Application Resilience policy is activated. may need to check the signer of a file, service, or driver that is used as a health check for the application. The RAR component checks to make sure that the signer matches the configured policy, and that the signature is valid.

You can add the Status details column for an application that has a status of Not compliant.

If the Status details column says Invalid signer for a service or Invalid signer for a file, the signer is incorrect. Both the actual and expected signer are shown in the error message. If the message says that the service is not signed, it could mean that the file has no signer, or the file has an invalid signature.

To find the signer for a file:

  1. In File Explorer, navigate to the file.

    For example, for Absolute Secure Access, navigate to the nmfilter.sys driver.

  2. Right-click the file and select Properties.
  3. Click the Digital Signatures tab.

  4. In the Signature list, verify that the name of the signer matches the name provided in the health checks table.

    For Absolute Secure Access, verify that the signer is either Absolute Software Corp. or NetMotion Software, Inc.

In some cases, the expected name of the signer matches the actual name of the signer, but the RAR component isn't able to validate the signature. This could be because the signature is invalid, has been altered, or the root or intermediate certificates are not accessible or not installed on the device.

There are two steps to verifying the signature.

Step 1: Extracting the signature

Step 2: Verifying the certificate chain

To extract the signature:

  1. In File Explorer, navigate to the file.
  2. Right-click the file and select Properties.
  3. Click the Digital Signatures tab.

  4. Select the signer that you want to verify the signature for from the Signature list.

    For example, for Absolute Secure Access, the signer of the nmfilter.sys driver is verified. On the Digital Signatures tab, select NetMotion Software, Inc from the Signature list.

  5. Click Details. Digital Signature Details opens.

  6. Click View Certificate. Certificate opens.

  7. Click the Certification Path tab.

  8. Select the certification path you want to check.

    For example, select DigiCert SHA2 Assured ID Code Signing CA.

  9. Click View Certificate. Certificate opens.

  10. Click the Details tab.

  11. Click Copy to File. The Certificate Export Wizard opens.

  12. Follow the Certificate Export Wizard using all of the default options.

  13. Save the certificate to you computer. Remember the location.

    For example, for Absolute Secure Access, save the file to C:\Temp with the file name nmfilter.cer.

To verify the certificate chain:

  1. Open Command Prompt as an administrator.

  2. Run the following code, replacing <file> with the file name and location you saved the certificate to in Step 1.

    Copy 
    certutil -f -urlfetch -verify <file>

    For example:

    Copy 
    certutil -f -urlfetch -verify C:\Temp\nmfilter.cer

  3. Review the output.

If the device is able to correctly access the Certificate Authorities, the response should indicate the certificate was verified with messages similar to the following:

Copy 
----------------  Certificate AIA  ----------------
Verified "Certificate (0)" Time: 0 0563b8630d62d75abbc8ab1e4bdfb5a899b24d43
[0.0] http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt

----------------  Certificate CDP  ----------------
Verified "Base CRL (0297)" Time: 0 25fbb6f903c2f7d5c856c45a5c81e826d2469e25
[0.0] http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl

Verified "Base CRL (0297)" Time: 0 25fbb6f903c2f7d5c856c45a5c81e826d2469e25
[1.0] http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl

----------------  Base CRL CDP  ----------------
No URLs "None" Time: 0 (null)
----------------  Certificate OCSP  ----------------
Verified "OCSP" Time: 0 12ee3fa99da7fc57a9c5dbae5ed5b459e76cb3b9
[0.0] http://ocsp.digicert.com

If the device is unable to correctly access the Certificate Authorities, the response indicate a failure message similar to the following:

Copy 
----------------  Certificate AIA  ----------------
Failed "AIA" Time: 0 (null)
Error retrieving the URL: The server name or address cold not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)
http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt

----------------  Certificate CDP  ----------------
Failed "CDP" Time: 0 (null)
Error retrieving the URL: The server name or address cold not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)
http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl

----------------  Certificate OCSP  ----------------
Failed "OCSP" Time: 0 (null)
Error retrieving the URL: The server name or address cold not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)
http://ocsp.digicert.com

A certificate chain could not be built to a trusted intermediary authority. (-2146762486 CERT_E_CHAINING)
-----------------------------------
Incomplete certificate chain
Cannot find certificate:
CN = DigiCert SHA2 Assured ID Code Signing CA, OU = www.digicert.com, O = DigiCert Inc, C = US
Cert is an End Entity certificate

To resolve the issue, you need to do one of the following:

  • Ensure that the device can freely communicate with Certificate Authorities so that the Certificate Chain can be validated. For example, make sure that the device has an Internet connection.

  • Manually install the code signing certificate in to the Local Machine Certificate Store. This can be done by downloading the code signing certificate from the appropriate Authority Information Access or by installing the certificate from the certificate details.

To manually install the certificate from certificate details:

  1. In File Explorer, navigate to the file with system administrator access.
  2. Right-click the file and select Properties.
  3. Click the Digital Signatures tab.

  4. Select the signer that you want to verify the signature for from the Signature list.

    For example, for Absolute Secure Access, the signer of the nmfilter.sys driver is verified. On the Digital Signatures tab, select NetMotion Software, Inc from the Signature list.

  5. Click Details. Digital Signature Details opens.

  6. Click View Certificate. Certificate opens.

  7. Click Install Certificate. The Certificate Import Wizard opens.

  8. Click Local Machine.

  9. Follow the Certificate Import Wizard.

The certificate is now installed on your device.