This documentation does not apply to the most recent version of uberAgent. Click here for the latest version.
Authenticode Signature Verification
uberAgent ESA verifies the Authenticode signature for every process that is started.
The following information is collected:
- Is the executable signed by the OS manufacturer, e.g., Microsoft?
- Is the Authenticode signature valid?
- The Authenticode signer’s name
Configuration
uberAgent ESA Authenticode verification is configured through the process startup setting EnableAuthenticode
. In the default configuration, Authenticode verification is enabled.
uberAgent ESA caches the results of Authenticode verifications. The number of cached results can be set via AuthenticodeCacheMaxSize
, which is preset to 500 entries in the default configuration.
Metadata
Sourcetype
Authenticode signature information is part of the sourcetype uberAgent:Process:ProcessStartup
. Please see the metrics documentation for a description of the fields.