Authenticode Signature Verification
uberAgent ESA verifies the Authenticode signature for every process that is started.
The following information is collected:
- Is the executable signed by the OS manufacturer, e.g., Microsoft?
- Is the Authenticode signature valid?
- The Authenticode signer’s name
uberAgent ESA Authenticode verification is configured through the process startup setting
EnableAuthenticode. In the default configuration, Authenticode verification is enabled.
uberAgent ESA caches the results of Authenticode verifications. The number of cached results can be set via
AuthenticodeCacheMaxSize, which is preset to 500 entries in the default configuration.
Authenticode signature information is part of the sourcetype
uberAgent:Process:ProcessStartup. Please see the metrics documentation for a description of the fields.