Execute Request denied by Trusted Ownership when using Trusted Vendors

Version 1

    Verified Product Versions

    AppSense Application Manager 8.9AppSense Application Manager 8.8AppSense Application Manager 8.7AppSense Application Manager 8.6AppSense Application Manager 8.5AppSense Application Manager 8.4AppSense Application Manager 8.3AppSense Application Manager 8.2AppSense Application Manager 8.1AppSense Application Manager 8.0

    Introduction

    When allowing an application that dynamically creates DLLs within the users profile (typically the temp folder), these DLLs are blocked due to Trusted Ownership even when the DLLs have been allowed using Trusted Vendors, and the rule was initially working.

    Detail

    A common resolution to this if the DLLs are digitally signed is to use Trusted Vendors, whereby a copy of the one of the DLLs is scanned within the Application Manager console under the relevant Rule within Trusted Vendors - "From Signed File". When adding a signed item in this manner, it is advisable to right-click the entry and select "Verify Certificate", however, on occasions the agent may still block the requests even though validation initially succeeded (see below).

    If a certificate expires, or is revoked (for example), the validation may later fail, causing the request to be denied based on Trusted Ownership (if the vendor is being to allow a user-owned file).

    Application Manager Agent logs can be used to locate signature validation issues, by looking for the following log lines containing:

    [CRulesChecker::DoTrustedVendorCheckInternalWorker]

    A certificate that fails to valide will return

    Invalid Certificate Found
    , and an error code that varies depending on the cause of the validation error.

    The simplest way to validate the signature is to use the Application Manager Console's Verify Certificate option again, however, for a detailed validation, Microsoft's Signtool.exe from the Windows SDK can be used, for example, checking the Signing of one of Application Managers' own DLLs:
    C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin>signtool verify /kp /v "C:\Program Files\AppSense\Application Manager\Console\AMConsole.exe"

    Verifying: C:\Program Files\AppSense\Application Manager\Console\AMConsole.exe
    Hash of file (sha1): B593D6476ABF9D29E5A0954D2CC48C2F97339CC2

    Signing Certificate Chain:
    Issued to: VeriSign Class 3 Public Primary Certification Authority - G5
    Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
    Expires:   Thu Jul 17 00:59:59 2036
    SHA1 hash: 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5

    Issued to: VeriSign Class 3 Code Signing 2010 CA
    Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
    Expires:   Sat Feb 08 00:59:59 2020
    SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F

    Issued to: AppSense
    Issued by: VeriSign Class 3 Code Signing 2010 CA
    Expires:   Sat May 02 00:59:59 2015
    SHA1 hash: 418CE099F13564928969F92C23C097EA73654B9F

    The signature is timestamped: Tue Jul 30 17:16:25 2013
    Timestamp Verified by:
    Issued to: Thawte Timestamping CA
    Issued by: Thawte Timestamping CA
    Expires:   Fri Jan 01 00:59:59 2021
    SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

    Issued to: Symantec Time Stamping Services CA - G2
    Issued by: Thawte Timestamping CA
    Expires:   Thu Dec 31 00:59:59 2020
    SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1

    Issued to: Symantec Time Stamping Services Signer - G4
    Issued by: Symantec Time Stamping Services CA - G2
    Expires:   Wed Dec 30 00:59:59 2020
    SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4

    Cross Certificate Chain:
    Issued to: Microsoft Code Verification Root
    Issued by: Microsoft Code Verification Root
    Expires:   Sat Nov 01 14:54:03 2025
    SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

    Issued to: VeriSign Class 3 Public Primary Certification Authority - G5
    Issued by: Microsoft Code Verification Root
    Expires:   Mon Feb 22 20:35:17 2021
    SHA1 hash: 57534CCC33914C41F70E2CBB2103A1DB18817D8B

    Issued to: VeriSign Class 3 Code Signing 2010 CA
    Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
    Expires:   Sat Feb 08 00:59:59 2020
    SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F

    Issued to: AppSense
    Issued by: VeriSign Class 3 Code Signing 2010 CA
    Expires:   Sat May 02 00:59:59 2015
    SHA1 hash: 418CE099F13564928969F92C23C097EA73654B9F

    File has page hashes.

    Successfully verified: C:\Program Files\AppSense\Application Manager\Console\AMConsole.exe

    Number of files successfully Verified: 1
    Number of warnings: 0
    Number of errors: 0

     

    If verification fails due to "Signing Cert does not chain to a Microsoft Root Cert" and no "Cross Certificate Chain" section is listed in the SignTool output, you may need to install the appropriate Cross Certificate from Microsoft:

    http://msdn.microsoft.com/en-us/library/windows/hardware/dn170454%2528v=vs.85%2529.aspx

    Following this, the chaining check should be performed when validated again, for example, after installing the "Certificate for VeriSign Class 3 Public Primary Certification Authority – G5 (Root certificate thumbprint: 57 53 4c cc 33 91 4c 41 f7 0e 2c bb 21 03 a1 db 18 81 7d 8b)":

    Cross Certificate Chain:
    Issued to: Microsoft Code Verification Root
    Issued by: Microsoft Code Verification Root
    Expires:   Sat Nov 01 14:54:03 2025
    SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

    Issued to: VeriSign Class 3 Public Primary Certification Authority - G5
    Issued by: Microsoft Code Verification Root
    Expires:   Mon Feb 22 20:35:17 2021
    SHA1 hash: 57534CCC33914C41F70E2CBB2103A1DB18817D8B

    Issued to: VeriSign Class 3 Code Signing 2010 CA
    Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
    Expires:   Sat Feb 08 00:59:59 2020
    SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F

    Issued to: 3rd Party Vendor
    Issued by: VeriSign Class 3 Code Signing 2010 CA
    Expires:   Wed Feb 08 00:59:59 2017
    SHA1 hash: (40character SHA1 hash)