Trusted Signer Management
You can now add trusted signers of Windows
or Mac processes to a whitelist in the ESM Console. When a file
is signed by a whitelisted signer, Traps permits the file to run.
For Windows signers, whitelisting a signer adds it to the list of
highly trusted signers (see the Malware Protection Flow).
To view and configure
trusted signers, your role must have the
Trusted Signers
privilege
enabled. To whitelist a trusted signer:
- Select .
- Select the platform,WindowsorMac.
- Select the action menu, andAdd Signer.
- Enter the name of the trusted signer.
- (Mac only) Specify the SHA1 hash of the certificate that signs the file.To identify the hash for the certificate, review the local agent logs after a file signed by the signer runs on the endpoint:
- Using Cytool, set the log level for thetrapsddaemon log to 7 (debug).Traps-Mac:bin Traps$sudo /Library/Application\ Support/PaloAltoNetworks/Traps/bin/cytool log 7 trapsd
- Open the trapsd log and search for the name of the file for which you want to identify the certificate hash.The“CertificateHash”field identifies the hash value. For example:Traps-Mac:bin Traps$open /var/log/traps/trapsd.log[...] “PublisherMatch” : { “CertificateHash” : “e86867eab7456a4fefcda5541be7d7e2c5aacbe9”, “PublisherName” : “software (483dwkw443)” }, “SecurityEventReported” : false, “hash” : “7a11be65b9a8c60fa22dac612125e897a89f6f72228abe74514920618642c4e5" }
- (Optional) Provide a description indicating why you whitelisted the signer.
- Savethe trusted signer.After you save a trusted signer, you can edit or delete it at any time.The ESM Console logs any changes to the trusted signers list and displays those logs from the page. To filter for changes to the trusted signers, filter theReport Typecolumn for any of the reports which begin withTrusted Signer.
