Code Integrity Policy Errors

Question

I am trying to implement CodeIntegrity for whitelisting on a fully stand-alone machine being used in an Industrial Control System application.

It is a Windows 10 Enterprise LTSC Version1809 Build 17763.2145 with the July SSU and Cumulative Updates installed plus the latest Defender platform and security intelligence updates, plus .Net patches just installed before building the Code Integrity Policies.

I have four identical machines, and I'm following a procedure on all four. Two machines are showing no errors and I've moved them into enforcement mode with (so far) no issues. n The other two are flagging a number of errors as per the attached log files and examples below. The machines I have an issue with are named IPC3 and IPC4 as machine names.

I'm not clear how I go about using log entries to create a further policy XML to merge to the base policy, but these errors are appearing for a number of what I think are Windows native dll's, so not sure why these would be failing to meet signing requirements?

Any help very much appreciated!

133078-examplecilogerror.txt

133095-icp3-cilog-operational.xml133083-ipc3-cilog-operational.txt133103-ipc4-cilog-operational.txt

Answer 1

Hello TimothyCanning,

I think there are 2 different situations. For the one with Powershell is more concerning since it is a Windows application, please check: https://support.microsoft.com/en-us/topic/mitigation-of-a-large-number-of-block-events-that-collect-in-the-mdatp-portal-0ca3b64c-2532-5239-94c6-8f01e3ac36d1

For IPC3 it is related to the hash of the app \ARPPRODUCTICON.exe is not part of Microsoft OS, but related to InstallShield developed by Acresso Software Inc. this may indicate an issue with the packaging installation of some programs not verified.

Hope this helps in your case,
Best regards,