The "Executable verification Rule" is added internally to Firecore when the "Block all untrusted executables" feature is enabled. The "Block all untrusted executables" feature blocks all executables that aren't signed or have an unknown Global Threat Intelligence (GTI) reputation. The "Executable verification Rule" rule is triggered when an executable that performs network communication is started. It validates the certificate of the signer and gets the reputation of the executable.

NOTE: Make sure that the GTI server is reachable. For instructions, see KB53733 - Verify that GTI File Reputation is installed and endpoints can communicate with the GTI server. If the GTI server isn't reachable, the "Block all untrusted executables" feature doesn't block the application.

When this rule is triggered, you see matches similar to the following in the FirewallEventMonitor.log: