WebEx-Team, for a few days AppLocker blocked Webex.exe although an exception has been set up.
Windows does not recognize a publisher of the Webex.exe file. The digital signature SHA256 has been updated.
AppLocker can not cope with this yet.
Please change this to old SHA so that we can continue to use webex in the organization.
GPO Rule: O=CISCO WEBEX LLC, L=SAN JOSE, S=CALIFORNIA, C=US
Now: Publisher is missing:
TimeCreated : 22.05.2019 13:00:57
UserName : Org.\User
PolicyName : EXE
FilePath : %OSDRIVE%\USERS\User\DOWNLOADS\WEBEX.EXE
Publisher : -
FileHash : 3964C9A1424D9DB7F4E2EDAB623716E05F7AC4F176CEA1A77C26395EF8C0DA81
I have the same issue you do but I don't think it's SHA1 vs SHA256. I have plenty of exes that I added publisher certs that were SHA256 and still worked. WebEx is the only one I've seen, to date, that I can't seem to get anything cert related added that works. I've been using App Locker for years too.
If I find a resolution, I'll post it.
I'm finding the same issue you are, but *only* with WebEx. The Get-AppLockerFileInformation is reporting no publisher info on the machines having trouble. On machines without AppLocker activated I'm able to get the info and test-applocker... works fine including Test-Applocker. On my test machine I stopped the Application Identity service waited 30 or so seconds, started it again (I may have done this 2x). Then it started seeing the publisher again. I rebooted the machine after, and it continued to work.
Users reporting the issue have rebooted their computers, so I'm not sure a simple restart of the computer is sufficient nor am I completely certain why the service restarts seem to have fixed this test machine, at least temporarily.
The intermediate cert authority cert wasn't on my machines, root was though. I'm not sure how but it ended up on my test machine at one point (maybe I tested running webex as admin and that auto-installed it). What made me check it was this thread:
Strangely after adding the intermediate cert to Intermediate Certificate Authorities the get-applockerfileinformation showed the publisher and a test-applockerpolicy now showed it should be allowed, but the previously downloaded temp webex app was still blocked. Subsequent fresh downloads were good though.
Note: I saw an install that's been on one of my machines for a long while and it had a Symantec cert chain instead of a DigiCert (fresh temp apps downloaded). I'm guessing the problem occurred when they switched.
We had the same behavior in AppLocker (publisher not visible).
The intermediate certificate was in the certificate store but not the root one.
We performed an update via certutil and everything is back to normal
Download http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab and extract authroot.stl
Download http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab and extract disallowedcert.stl
Check the files, they shall be signed by Microsoft
As admin, execute the following 2 commands
certutil -addstore -f root authroot.stl
certutil -addstore -f disallowed disallowedcert.stl
As mentioned above, this is surely linked to the switch from Symantec to DigiCert