Skip to main content

Documentation

Version

  1. uberAgent
  2. 6.1.2
  3. ESA Features & Configuration
  4. Authenticode Signature Verification
Previous document Next document
This documentation does not apply to the most recent version of uberAgent. Click here for the latest version.

Authenticode Signature Verification

In this article

uberAgent ESA verifies the Authenticode signature for every process that is started.

The following information is collected:

  • Is the executable signed by the OS manufacturer, e.g., Microsoft?
  • Is the Authenticode signature valid?
  • The Authenticode signer’s name

Configuration

uberAgent ESA Authenticode verification is configured through the process startup setting EnableAuthenticode. In the default configuration, Authenticode verification is enabled.

uberAgent ESA caches the results of Authenticode verifications. The number of cached results can be set via AuthenticodeCacheMaxSize, which is preset to 500 entries in the default configuration.

Metadata

Sourcetype

Authenticode signature information is part of the sourcetype uberAgent:Process:ProcessStartup. Please see the metrics documentation for a description of the fields.

Comments

Your email address will not be published. Required fields are marked *