AMD/ATI does not always sign their device drivers

Discussion in 'other software & services' started by new2security, Apr 17, 2013.

Thread Status:
Not open for further replies.
  1. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
    Yesterday I was fooling around testing some graphic cards, flipping between an old Nvidia GS7300, ATI HD 6450 and at one point I went back to my old ATI graphic card (HD 6450) that I've been using. Downloaded the drivers via Windows Update. All Fine.

    Today I installed another Nvidia card (Geforce 210) and proceeded with removing the old ATI drivers before installing the new hardware. All Fine.

    Few minutes ago, I ran Kaspersky TDSS killer (I always run a set of scans after a new software /driver installation) and behold, it found unsigned drivers from ATI ->

    atikmpag.sys
    atikmdag.sys

    Both reside in my system32\drivers folder.

    Looking at the drivers' properties, they are from ATI but both lack signatures.

    1. I don't think those drivers were loaded into the Kernel since a) patchguard is active b) I automatically block unsigned drivers via Group Policy

    2. I am confused how this could happen though. Why did a) ATI not sign all their drivers? b) Why did Microsoft let these, officially approved by them alas without valid certs, slip through?

    3. I believe Microsoft digitally signs other vendor's drivers but shouldn't this be apparent in the *.sys properties?

    4. I've been using the ATI card since December 2012 and never had any of those warnings from Kaspersky. According to Windows Update history, the driver that I've been using back then was released April 2011. The driver that was downloaded yesterday was also released April 2011... :-O

    Weird or not?

    Edit - Found an older version of atikmdag.sys in System32\DriverStore\Filerepo... the file is from 2009 I think, also unsigned.
     
    Last edited: Apr 17, 2013
  2. Kirk Reynolds

    Kirk Reynolds Registered Member

    Joined:
    May 8, 2011
    Posts:
    224
    The digital signer is probably Microsoft Windows Hardware Compatibility.

    What does it show in the driver file details for those files in the device manager?
     
  3. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492

    I suspect that too... that ATI's whole package was signed but not the individual files.
    I don't remember what it said for those two files but yesterday when I briefly checked the signature/signing via the device manager, I saw that some files had unknown origin but those were mostly database files etc, not .sys files.

    Now I have Nvidia drivers so I can't check.

    Edit : I removed those orphan files from the system with Kaspersky TDSS but kept two copies elsewhere for future reference. During the operation Kaspersky demanded a system reboot, as if those modules were unhooked from the kernel but I doubt that was the case. Unless Microsoft is ok with signing bundles but not individual files so to speak.
     
    Last edited: Apr 17, 2013
  4. Kirk Reynolds

    Kirk Reynolds Registered Member

    Joined:
    May 8, 2011
    Posts:
    224
    I just booted up my pc that has an AMD GPU using the 13.1 drivers. The individual files in the driver folder aren't signed on mine either, but it does show those two files signed in the device manager by MS. I guess as long as they're linked to a signed security catalog then the individual files don't have to have a signature...
     
  5. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
    Thanks for checking on your side. Yes so we can conclude Microsoft signs per bundle not individual files. Wonder if that could be a security issue..since obviously some unsigned device
    files will load in the kernel.
     
  6. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    One thing I've learnt over the years, never install video drivers from Windows Update... stick to the manufacturer website.
     
  7. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492

    Please elaborate why..?
     
  8. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    Out of date by months on end and generally cause more issues that they solve (probably because of their age).
     
  9. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
    Yeah, that's a negative aspect, I guess more important for gamers than regular users. I am thinking though, that dowloading device drivers from Microsoft is less risky than downloading them from others.
     
  10. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
    Now this is weird. The TDSS killer does not flag the two ATI files as unsigned on another WP7 system.

    TDSS killer -> same version +sha as the one run on my system

    ATI drivers -> same versions + sha as those run on my system
     
Loading...
Thread Status:
Not open for further replies.