.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Unsigned Reserved Name Rule firing on signed module in RSA NetWitness Platform
Issue
Unsigned IOCs are triggering on a signed module for example: The ESA Rule "Unsigned Revered Name" Rule is displaying a Microsoft Module.Cause
The agent maintains a file trust (signature) cache, which is refreshed daily based on digital signatures in catalog (.cat) files. This is how most Microsoft Windows files are signed. While this cache is being rebuilt if any tracking events with a reserved file name take place then the file will be reported as unsigned and the Unsigned Reserved Name rule will be triggered. A smaller scale fix may be to delay processing tracking events until cache rebuild process completes (in order to get accurate signature info). A larger scale improvement may be to rebuild the cache in a more efficient way, by either swapping cache contents quickly (two copies, old and new) or by updating/adding trust cache entries.
The issue was reproduced with a debugger by forcing the scan thread to update the trust cache, freezing that thread, and generating tracking events from cmd.exe renamed as svchost.exe.
Resolution
It would be good to provide a test agent build, but we cannot generate a signed agent build from a fork branch until ASOC-78115 is resolved. We can provide a dev test build but it would require the agent system to be in the test signing mode during the test (lower security).
https://docs.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-option
If the customer is willing/able to do this test we can provide a build sooner. Otherwise we will have to wait until ASOC-78115 is resolved.
More details in here: https://bedfordjira.na.rsa.net/browse/SACE-11413
Product Details
RSA Product Set: NetWitness PlatformApproval Reviewer Queue
RSA NetWitness Suite Approval Queue