It is possible to search for unsigned files in the VMware Carbon Black Cloud console by using the search query:

NOT process_publisher_state:FILE_SIGNATURE_STATE_SIGNED

This query will return all the processes that have a publisher state other than FILE_SIGNATURE_STATE_SIGNED, which means they are either unsigned or have an invalid signature. The process_publisher_state field is a string that indicates the signature status of the process executable file. The possible values for this field are:

FILE_SIGNATURE_STATE_SIGNED: The file has a valid signature.

FILE_SIGNATURE_STATE_UNSIGNED: The file does not have a signature.

FILE_SIGNATURE_STATE_INVALID: The file has a signature, but it is invalid or corrupted.

FILE_SIGNATURE_STATE_MISSING: The file signature could not be retrieved or verified.

The NOT operator is a Boolean NOT operator that negates the following term or phrase. For example, NOT svchost.exe will return all the processes that are not named svchost.exe.

Therefore, by using the NOT operator with the process_publisher_state field and the value FILE_SIGNATURE_STATE_SIGNED, we can search for unsigned files in the console. References:

Advanced Search Techniques - VMware Docs, Using Regular Expressions (regex) section, NOT Operator subsection.

Carbon Black Cloud: Search for process_publisher_s… - Carbon Black …, The CB sensor now reinspects operating system files that appear unsigned to reverify their digital signature and avoid the tamper blocks section.