Authenticode Signature Verification
uberAgent ESA verifies the Authenticode signature for every process that is started.
The following information is collected:
- Is the executable signed by the OS manufacturer, e.g., Microsoft?
- Is the Authenticode signature valid?
- The Authenticode signer’s name
Configuration
uberAgent ESA Authenticode verification is configured through the process startup setting EnableAuthenticode
. In the default configuration, Authenticode verification is enabled.
uberAgent ESA caches the results of Authenticode verifications. The number of cached results can be set via AuthenticodeCacheMaxSize
, which is preset to 500 entries in the default configuration.
Metadata
Sourcetype
Authenticode signature information is part of the sourcetype uberAgent:Process:ProcessStartup
. Please see the metrics documentation for a description of the fields.