Skip to main content

This documentation does not apply to the most recent version of uberAgent. Click here for the latest version.

Authenticode Signature Verification

uberAgent ESA verifies the Authenticode signature for every process that is started.

The following information is collected:

  • Is the executable signed by the OS manufacturer, e.g., Microsoft?
  • Is the Authenticode signature valid?
  • The Authenticode signer’s name


uberAgent ESA Authenticode verification is configured through the process startup setting EnableAuthenticode. In the default configuration, Authenticode verification is enabled.

uberAgent ESA caches the results of Authenticode verifications. The number of cached results can be set via AuthenticodeCacheMaxSize, which is preset to 500 entries in the default configuration.



Authenticode signature information is part of the sourcetype uberAgent:Process:ProcessStartup. Please see the metrics documentation for a description of the fields.


Your email address will not be published. Required fields are marked *