About Ivanti Endpoint Security - Digital Signatures

Version 8

    Verified Product Versions

    LANDESK Management Suite 2016.xLANDESK Endpoint Manager 2017.x

    Overview

    Ivanti Endpoint Security includes the capability to recognize and utilize Digitally Signed Applications through known trusted Application Signatures and Discovered Signatures on Managed Devices.

     

    The intended use of this document is to go over the use cases for Digitally Signed Applications and configuration options.

     

    What is a "Digital Signature?"

    A Digital Signature is a mathematical method used to "prove" or "validate" the authenticity of Application. A Valid Digital Signature can provide the following:

     

    • The Application was created by a Known Good Author.
    • The Application has not been Altered or Corrupted since being signed.
    • Help prevent Namespace Conflicts.
    • Versioning Information and other various Meta Data about the Application.
    • Trusted identification using a certificate authority (CA).

     

    Configuring Digital Signatures Behavior

    In the Ivanti Management Console, browse to Tools > Configuration > Agent Settings > Endpoint Security.

     

    In the Agent Settings Tree, under My Agent Settings > Security > Endpoint Security, click New, or double-click an existing setting.

     

    Under the Digital Signatures section, select from the three available options:

     

    • Do not trust digitally signed applications: Don't automatically trust digitally-signed applications. Disables the rest of the dialog-box options.
    • Trust all digitally signed applications: Automatically trust digitally-signed applications. Use this setting with care. While being digitally signed does imply some degree of credibility, it doesn't guarantee that an application should be allowed in the environment.
    • Trust digitally signed applications from these vendors: Only trust digitally-signed applications from the vendors specified.

    Agent Settings Endpoint Security.png

    Once the desired setting has been selected, and the "Trusted" Application Vendors have been added, click Save.

     

    Discovered Vendors

    A basic list of reputable vendors is in the Trusted vendors list by default when the Management Console is installed. More vendors will become available as they are discovered on Managed Devices running Endpoint Security.

     

    Digital Signature are read by the Ivanti Endpoint Security service, using the Wintrust and Cryptographic API provided by Windows. When a new Digital Signature is found, the Managed Device will create an ActionHistory.xml file in the C:\ProgramData\Vulscan directory. This XML will then be sent to the core via a Security Scan.

    The Discovered Digital Signature will only apply to the Endpoint Agent Settings currently utilized by the Managed Device doing the discovering. It will NOT appear in other Endpoint Agent Settings. Use the Import Settings feature in order to bring the Trusted Vendor List from another Settings over.

    These will appear in the Discovered Vendors portion of the Digital Signatures Agent Configuration window. They will need to be added to the Trusted List if Trust all Digitally Signed Applications is not selected.

    Discovered Vendors.png

     

    Adding/Editing Vendors

    If, for whatever reason, a suspected Digital Signature is not being detected by Ivanti Endpoint Security, Vendors can be manually added to the list.

     

    In the Agent Settings Tree, under My Agent Settings > Security > Endpoint Security, click New, or double-click an existing setting.

     

    Under the Digital Signatures section, click Add to create a new Vendor Name to be added to the Trusted List. Click Edit to change the currently selected Vendor Name. Click Delete to remove the currently selected Vendor Name.

    Edit Vendor.png

     

    Trusted File List

    Files trusted by Digital Signatures can be configured to populate in the Trusted File List Automatically.

     

    In the Agent Settings Tree, under My Agent Settings > Security > Endpoint Security, click New, or double-click an existing setting.

     

    Under Default Polity, check the box to Automatically add files trusted by Digital Signatures to the Application File List. Files that are trusted by a Digital Signature will automatically be added to the Trusted File List as they are discovered by Managed Devices.

    Trusted File List.png