Signer Identity (Certificate)

Important: Be careful! If you create incorrect exclusions, you can open your environment to malware

You can exclude files and software that are signed by a trusted source, with a certificate that is verified by the endpoint OS. Agents monitor events associated with the certificate signer but do not mitigate the signed items.

This exclusion type is supported for Windows and macOS Agents.

IMPORTANT:  Do not create Signer Identity exclusions for all Microsoft or Adobe applications. This will significantly decrease your organization's security. If you are getting false alerts for a specific application, contact support to find a narrower exclusion to resolve the issue.

Also see Best Practices for Exclusions and Not Recommended Exclusions

To exclude items signed by a trusted source:

  1. In Analyze, select the threat
  2. In the Summary > Signer Identity property, copy the string after Cert id:

  1. Edit the EDR Policy where the Signer Identity is to be excluded
  2. Navigate to the Exclusions tab
  3. Click New Exclusion to open the New Exclusion dialog
  4. Select an operating system from the OS drop-down menu
  5. In Certificate ID, enter the Cert ID that you copied from the Forensics details page - wildcards are not supported
  6. In the Description explain the reason for the exclusion
  7. Click Save