Trust Agent scanner signed files on Windows

On Windows devices, if you enforce PowerShell Constrained Language Mode for all users, Agent is unable to run successful scans. You can improve success with these Agent scans by adding Arctic Wolf as a trusted publisher in your application control software or virus scanning software.

Note: After you configure your Windows device to trust Agent scanner signed files, you must contact your Concierge Security® Team (CST) to enable the feature.

These resources are required:

  • An MR license
  • Windows administrative permissions

Steps

  1. Download the appropriate signature references:
  2. Using Command Prompt, run this command to verify the hash value of the zip file or files from step 1:
    CODE 
    certutil -hashfile <zip_file_location> <hash_type>
    Where:
    • <zip_file_location> is the location of the zip file. For example, c:\Users\User_Name\Downloads\rse_signature_references.zip.
    • <hash_type> is the hash type: SHA256, SHA1, or MD5.
    The returned hash value for the rse_signature_references.zip file should match one of these options:
    • SHA256 — 977941168282fdaf8a2d0e396fa0cbdced838e2020da3aab6e250ee232120de3
    • SHA1 — d141de57672508e0ec552e303e3726d36b1c016e
    • MD5 — b136740957c44b9ea5a08532d41ceb06
    The returned hash value for the rse_signature_references_old.zip file should match one of these options:
    • SHA256 — b0d34aacf75aa8779807a7363a3384303ef4100f1588605303ca49fd03e8ac36
    • SHA1 — 2dd5a735f40d786313ad67d310b48fa6f3fb6d73
    • MD5 — a4022e4040fc7a9ea68fd0440069ba5a
  3. Extract the zip file or files.
  4. On each Windows endpoint that has Agent installed, complete these steps:
    1. Open the application control software or virus scanning software that is blocking the Agent scan. For example, AppLocker or App Control for Business (formerly known as Windows Defender Application Control [WDAC]).
    2. Create rules to trust the appropriate SignatureReference files that are located in the folder that the ZIP file extracted to.
    3. Save your changes.
  5. Contact your Concierge Security® Team (CST) at security@arcticwolf.com and request them to enable this feature.
For an example of how to trust PowerShell script signatures in AppLocker, see Example of how to trust Agent scanner signed files in AppLocker.

Example of how to trust Agent scanner signed files in AppLocker

You can trust the signatures of the Agent scan PowerShell scripts in AppLocker to improve success with these Agent scans.

  1. Download the appropriate signature references:
  2. Using Command Prompt, run this command to verify the hash value of the zip file or files from step 1:
    CODE 
    certutil -hashfile <zip_file_location> <hash_type>
    Where:
    • <zip_file_location> is the location of the zip file. For example, c:\Users\User_Name\Downloads\rse_signature_references.zip.
    • <hash_type> is the hash type: SHA256, SHA1, or MD5.
    The returned hash value for the rse_signature_references.zip file should match one of these options:
    • SHA256 — 977941168282fdaf8a2d0e396fa0cbdced838e2020da3aab6e250ee232120de3
    • SHA1 — d141de57672508e0ec552e303e3726d36b1c016e
    • MD5 — b136740957c44b9ea5a08532d41ceb06
    The returned hash value for the rse_signature_references_old.zip file should match one of these options:
    • SHA256 — b0d34aacf75aa8779807a7363a3384303ef4100f1588605303ca49fd03e8ac36
    • SHA1 — 2dd5a735f40d786313ad67d310b48fa6f3fb6d73
    • MD5 — a4022e4040fc7a9ea68fd0440069ba5a
  3. Extract the zip file or files.
  4. On a Windows device, do one of these actions to open the Local Security Policy:
    • Click Start > Programs > Administrative Tools , and then click Local Security Policy.
    • Press Windows Key + R, enter secpol.msc, and then press Enter.
  5. In the navigation pane, expand Application Control Policies, and then expand AppLocker.
  6. Click Script Rules.
  7. Right-click the display pane, and then click Create New Rule.
    The Create Script Rules dialog opens.
  8. Create the script rule:
    1. On the Before You Begin page, click Next.
    2. On the Permissions page, configure these settings, and then click Next:
      • Action — Select Allow.
      • User or group — Select Everyone.
    3. On the Conditions page, select Publisher, and then click Next.
    4. On the Publisher page, do these steps:
      1. Click Browse, find the SignatureReference.ps1 file, and then click Open.
      2. Move the slider to the level of enforcement you require. For example, Publisher.
      3. Click Create.
  9. In the navigation pane, click DLL Rules.
  10. Right-click the display pane, and then click Create New Rule.
    The Create DLL Rules dialog opens.
  11. Create the DLL rule:
    1. On the Before You Begin page, click Next.
    2. On the Permissions page, configure these settings, and then click Next:
      • Action — Select Allow.
      • User or group — Select Everyone.
    3. On the Conditions page, select Publisher, and then click Next.
    4. On the Publisher page, do these steps:
      1. Click Browse, find the SignatureReference.dll file, and then click Open.
      2. Slide the slider to the level of enforcement you require. For example, Publisher.
      3. Click Create.
  12. If you downloaded two zip files for this procedure, repeat the script and DLL rule steps for the second zip file.
  13. Contact your Concierge Security® Team (CST) at security@arcticwolf.com and request them to enable this feature.