Firefox and Dropbox updater programs are denied even with a Trusted Vendor rule

Version 1

    Verified Product Versions

    Application Control 8.9Application Control 8.8Application Control 8.7Application Control 8.6Application Control 8.5Application Control 8.4Application Control 8.3Application Control 8.2Application Control 8.1Application Control 8.0

    Introduction

    The Firefox updater executable "updater.exe" and the Dropbox updater "dropbox-upgrade-*.exe" are denied for restricted users by Application Manager resulting in popup messages from Application Manager and corresponding event id 9000 events raised where configured.

    Detail

    The signing of these exectuables includes an Intermediate Certification Authority certificate and unless this is in the Computer Certificate Store on the end-point running the Application Manager agent then the Application Manager agent is unable to verify the authenticity of the full certification path and therefore denies the execution request.

    The Intermediate Certification Authority certificate should be imported to the Intermediate Certification Authority  container within the Computer certificate store on the end-point. This is currently "Thawte Code Signing CA - G2".

    Alternatively, within the Trusted Vendors rule within the Application Manager configuration, right click on the certificate, select "Advanced Options" and tick the "Ignore end certificate revocation errors" and "Allow untrusted roots" options.