000036268 - RSA NetWitness Endpoint Digitally Signed Agents(Attestation Signing)

Document created by RSA Customer Support Employee on Apr 19, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036268
Applies ToRSA Product Set: NetWitness Endpoint
RSA Product/Service Type: NetWitness Endpoint
RSA Version/Condition: 4.3, 4.4
Platform: Windows
IssueDigital Attestation signing requires new executables on the latest Windows operating systems, such as Windows 10, be digitally signed. If these are not submitted for signing, it can prevent the installation of unsigned executables, like the NetWitness Endpoint agent, on any, or possibly all, endpoints. 

See the image below  for a sample of a signed driver:
Attestation signed driver showing RSA Security LLC in the versions field
CauseWindows 10 introduced a new type of driver signing for Windows executables with builds after 1607. The reason behind this was to protect executables running in kernel space. NetWitness Endpoint uses a Kernel Mode driver that exists in kernel space, so it falls under the requirements of the Attestation Signing process for Windows 10.  
ResolutionAll NetWitness Endpoint agents have driver attestation signing in the latest versions of NetWitness Endpoint, including and later versions. If a signed driver is missing attestation signing as seen in the Issue section, it must be reported to engineering as a regression bug so a version of the build can be released that includes properly signed agent drivers.

The fact the agent executable is actually signed is not the same as the executable created by the packager. The actual executable is generated automatically during the wrapping process of the installer, so the EcatServiceAgent.exe, or whatever name the executable for the agent is given, does not show driver signing, nor should it. An example of this is shown below AND SHOULD BE IGNORED!

WorkaroundThere is no workaround, other than having the drivers digitally signed by engineering.