Finding a Signer Certificate Thumbprint for Process Check posture profiles in Windows and MacOS

ZAPP 2.1.2.x introduces a cool, new posture profile called “Process Check.” It takes an executable’s path\filename and a special cryptographic hash and checks if the executable is running or not. This is very helpful for creating posture policies in ZPA around Anti-Virus suites.

Finding the path and filename of the executable is easy enough, but finding the Signer Certificate Thumbprint can be a challenge for first time users.

Below I will provide step-by-step directions for Windows and MacOS.

Finding the Signer Certificate Thumbprint in Windows

Finding a Windows executable’s Signer Certificate Thumbprint is straightforward though “click-intensive.”

You can find it via the GUI by following these directions:

  1. Find the executable in Windows Explorer.
  2. Right click the file and click “Properties.”
  3. From the “Digital Signatures” tab, click on the listed signature, then click “Details.” A new window will appear.
  4. Click on “View Certificate;” another new window will appear.
  5. Click the “Details” tab, scroll down, and click on thumbprint.

Finally, you will be presented with the thumbprint.

A shortcut for this procedure involves opening a PowerShell window and using the “Get-AuthenticodeSignature” applet.

  1. Click on the Windows button and type PowerShell. Hit enter.
  2. Type "Get-AuthenticodeSignature -FilePath ‘’ "

In this example:
Get-AuthenticodeSignature -FilePath ‘C:\Program Files (x86)\Zscaler\ZSATunnel\ZSATunnel.exe’

Finding the Signer Certificate Thumbprint in MacOS

As far as I have been able to find, there is no way to get the equivalent Thumbprint in the MacOS GUI. Please feel free to respond below and I will update the guide.

You can find the Thumbprint using the CLI command ‘codesign’

  1. Open Terminal either using Spotlight (Cmd+Space, then type Terminal) or by going to the Finder menu bar, selecting Go, then Utilities, and double clicking the Terminal app icon.
  2. Type "codesign -dvvv " and hit enter.

In this example:
codesign -dvvv /Applications/Zscaler/

I’ve highlighted both the SHA1 and SHA256 Thumbprints for this file, though SHA1 will work most of the time.

Screen Shot 2020-04-07 at 5.32.06 PM

NOTE: MacOS applications are folders with a subfolder structure that contains the actual executable file. Sometimes you may need to investigate which executable file is the running process you want to target.

In this example I’m focusing on the ZscalerTunnel executable:


one thing to add. The Match for the process thumbprint has to be exact! If the PowerShell approach is used:

> Get-AuthenticodeSignature -FilePath ‘C:\Program Files (x86)\Zscaler\ZSATunnel\ZSATunnel.exe’

The thumbprint is all uppercase and will not match. Convert it to lowercase and it will work. This is valid for Zscaler Client Connector (formerly Z App) Version

Great info on how to get the hash, but using it in the posture check needs more detail. With many hash values, and usually hash and hashfull, what does posture match against? Also, is the posture parameter, just the value (sha256=value) or does it also include “sha256=value”? Example below of MS ATP.
CandidateCDHash sha256=c05a5cdbcc40e77093f8c06525258591af94ca86
CandidateCDHashFull sha256=c05a5cdbcc40e77093f8c06525258591af94ca86079167d85d053e2ca60cb045

@dcreedy can you please help with this?

What is the best way to debug this? I have two process checks defined. One is working and the other is not. The logs in ZSTray files are cryptic and don’t give out much. I am very sure the path and hash are good. The log section for the two are as shown below. Any help is much appreciated!

2020-09-14 11:36:41.951275(-0400)[9996:9176] INF Process posture check: Found running instances of the process
2020-09-14 11:36:43.251414(-0400)[9996:9176] INF Process posture check: Failed to get process executable path. Treating processName as full path
2020-09-14 11:36:43.579976(-0400)[9996:9176] INF Process posture check: Thumbprint matched: 46639be512f2c05396bcc09deea6acfc40b82c1d

2020-09-14 11:36:43.590278(-0400)[9996:9176] INF Process posture check: Found running instances of the process
2020-09-14 11:36:44.077008(-0400)[9996:9176] INF Process posture check: Succesfully read the full executable path of the process
2020-09-14 11:36:44.077008(-0400)[9996:9176] INF Process posture check: process path doesn’t exist

What is the file path that you are trying to use in the poster check?

The on that works: C:\Program Files\Common Files\McAfee\AVSolution\mcshield.exe

The one that does not work: C:\Program Files\McAfee\Agent\masvc.exe

I did a posture check for a customer specifically using McAfee and we keyed on the mcshield.exe. We didn’t use the masvc.exe. I would double check that the file is in the Program Files folder as you specified and not the Program Files (x86) folder.

It appears this was a bug. Upgrading to Client Connect fixed the issue. Thank you for your updates.

This didn’t work on Mac OSX, support suggested these instructions that do work.

  1. First extract certs associated with binary
    codesign -d --extract-certificates binarypath e.g. codesign -d --extract-certificates /Library/CS/CSDaemon (Put your binary Path here)

  2. Parse the certs
    for ((certnumber=0 ; certnumber<=2; certnumber++)) ; do openssl asn1parse -in codesign${certnumber} -inform der -out codesign${certnumber}.der ; done

  3. Convert to PEM
    for ((certnumber=0 ; certnumber<=2; certnumber++)) ; do openssl x509 -inform der -in codesign${certnumber}.der -out codesign${certnumber}.pem ; done

  4. Extract the certs using command
    openssl x509 -noout -sha1 -fingerprint -inform pem -in codesign0.pem

  5. Remove the colons from the output , that is signing cert thumbprint. Note you can change -sha1 to -sha256