uberAgent

Authenticode Signature Verification

uberAgent ESA verifies the Authenticode signature for every process that is started.

The following information is collected:

  • Is the executable signed by the OS manufacturer, e.g., Microsoft?
  • Is the Authenticode signature valid?
  • The Authenticode signer’s name

Configuration

uberAgent ESA Authenticode verification is configured through the process startup setting EnableAuthenticode. In the default configuration, Authenticode verification is enabled.

uberAgent ESA caches the results of Authenticode verifications. The number of cached results can be set via AuthenticodeCacheMaxSize, which is preset to 500 entries in the default configuration.

Metadata

Sourcetype

Authenticode signature information is part of the sourcetype uberAgent:Process:ProcessStartup. Please see the metrics documentation for a description of the fields.

Authenticode Signature Verification