Manage Trusted Signers

Palo Alto Networks regularly reviews and makes changes to the list of trusted signers and makes the list available with the default security policy. Any updates to the list of trusted signers are made available with content updates that you can obtain from the Support portal (for more information, see Content Updates). You can also define your own trusted signers from the ESM Console. For Windows signers, adding a trusted signer adds the signer to the list of highly trusted signers. Traps evaluates trusted signers according to the Malware Protection Flow.
To view and configure trusted signers, your role must have the
Trusted Signers
privilege enabled.
To whitelist a trusted signer:
  1. Select
    Policies
    Malware
    Trusted Signers
    .
  2. Select the platform,
    Windows
    or
    Mac
    .
  3. Select the action menu, and
    Add Signer
    .
  4. Enter the name of the trusted signer.
  5. (
    Mac only
    ) Specify the SHA1 hash of the certificate that signs the file.
    To identify the hash for a certificate that signs a file, review the local agent logs after a file runs on the endpoint:
    1. Using Cytool, set the log level for the
      trapsd
      daemon log to 7 (debug).
      Traps-Mac:bin Traps$
      sudo /Library/Application\ Support/PaloAltoNetworks/Traps/bin/cytool log 7 trapsd
    2. Open the trapsd log and search for the name of the file for which you want to identify the certificate hash.
      The
      “CertificateHash”
      field identifies the hash value. For example:
      Traps-Mac:bin Traps$
      open /var/log/traps/trapsd.log
      [...] “PublisherMatch” : { “CertificateHash” : “e86867eab7456a4fefcda5541be7d7e2c5aacbe9”, “PublisherName” : “software (483dwkw443)” }, “SecurityEventReported” : false, “hash” : “7a11be65b9a8c60fa22dac612125e897a89f6f72228abe74514920618642c4e5" }
  6. (
    Optional
    ) Provide a description indicating why you whitelisted the signer.
  7. Save
    the trusted signer.
    After you save a trusted signer, you can edit or delete it at any time.
    The ESM Console logs any changes to the trusted signers list and displays those logs from the
    Monitor
    ESM
    Health
    page. To filter for changes to the trusted signers, filter the
    Report Type
    column for any of the reports which begin with
    Trusted Signer
    .

Recommended For You