NIS installer and digital signature

Discussion in 'other anti-virus software' started by xxJackxx, Jun 20, 2014.

Thread Status:
Not open for further replies.
  1. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,052
    Location:
    USA
    It's the strangest thing I have ever seen... Windows 8.1 x64... Any Norton installer I access with this machine is lacking the digital signature. The checksum matches what it should be. I put the installer on a flash drive and plugged into a Windows 7 machine it is fine. Plugged into the Windows 8.1 machine it is missing. It also refuses to run. I have tried this with an older installer I had already on the drive, same results. Every other file I have on the drive that is signed works ok. Scans with KIS and MBAM do not find anything. Has anyone else seen this before?


    ---Nevermind, it's working now for whatever reason. This can be locked or deleted as far as I am concerned.

    --I take it back, still doing it. Very strange.
     
    Last edited: Jun 20, 2014
  2. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    754
    KIS installed and running on the affected win8 machine? If yes, does disabling it help?
     
  3. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,052
    Location:
    USA
    Nope, I even uninstalled KIS and it made no difference. And MBAM was not on when this started. It seems only NIS installation files are affected. The Norton Removal tool shows a valid signature, as does everything else.
     
  4. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    754
    Can you post a screenshot of the digital signature details? Have you checked the date and time on the system (stupid but it happens)? Downloaded all windows updates pertaining to local digital signature revocation list? Any other errors browsing SSL/port 443 sites?
     
  5. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,052
    Location:
    USA
    No point in a screenshot from my machine, there is no Digital Signature tab on the properties of the file. I have discovered the same thing is happening on my desktop machine as well. Both system are up to date with correct time/date settings. No other issues I can find whatsoever beyond this. I can't get a screenshot from the digital signature on the Windows 7 machine before Monday. I have access to a virtual machine with Windows 8.1 at work and it was fine in that VM. There is something common to my desktop and laptop that is causing this to happen only with Norton files that I have found so far. Is their certificate validated by a source uncommon to the other signed stuff I have? If so do you know of any other files signed by the same validation source that I could also check?
     
  6. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    I just downloaded the NIS trial, Digital Signature tab on properties is present, and the signature is OK. Certificate serial number: ‎66 66 05 52 d4 65 b3 1f 42 9f 75 27 ea 6a 93 bf, Signed by Symantec Corporation, countersigned by Symantec Time Stamping Services Signer - G4.
    File name and hash:
    NIS-TW-21.1.0-EN-US.exe
    SHA-512: 45E99A6680574755CB416F2060D1B5130A31EDC2A0899CD031A13982C09C596F7EA2DCAD7BF73901ADCC424A4AAD6935B962C9D0F5768C9C35864DF6F1CEA949
     
  7. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,052
    Location:
    USA
    I've checked multiple version of the NIS installer, the NIS downloader, even Norton 360 installers and the only Norton file that has a digital signature tab is the Norton Removal Tool. All other files from all other vendors seem fine. If it were anyone else's machine I would assume it was some kind of malware that was trying to prevent me from installed any security suites, but I believe my machines to be clean, and it is only Norton products.
    I downloaded the above mentioned file NIS-TW-21.1.0-EN-US.exe
    Sha-512 45E99A6680574755CB416F2060D1B5130A31EDC2A0899CD031A13982C09C596F7EA2DCAD7BF73901ADCC424A4AAD6935B962C9D0F5768C9C35864DF6F1CEA949
    so it is a match but no digital signature.
    For reference:
    NIS-ESD-21.3.0.12-EN.exe
    SHA-512 DF8E6C64DE3A4B8F0DF2AC883AB11E8DBC242D34DEA44EA5F72FF1B6E10799BC447422DA2E509611BF53CB040D5CE235BD5C472E20EE42C55A0A8F3A1B43BE89
    and
    N360_21.1.0.18_SYMTB_TMD_MRFTT_821_10132.exe
    SHA-512 2750BEA18292434D3E60EC17B5507D4D3EAD9518718FE22AAC99293AFC4F4DADDB601D49DB25837B1ACB7297AAEAD7B725F742F8DEC3E5D14F49F99E65B2E968
    These show no digital signature tab on my machine but they do on my Windows 7 machine at work (same files). I don't have access to it until Monday for any more info.
     
  8. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    754
    Try verifying the information about the dig. sig. on the affected machine by using sighcheck: http://technet.microsoft.com/en-us/sysinternals/bb897441.aspx

    Are there any Event logs created related to the error when executing the affected files?

    Adobe flash player (in my case for IE, without mcafee) doesn't have Symantec as the signer but has the same countersigner:

    install_flashplayer14x32ax_mssd_aaa_aih.exe

    SHA-512:
    2F6C466445273DCC2A57AD07D51AAD84678E9B699B8F7AFE725E3956A084EEBA3373FF670F27BEDAF789B4D01399F44974EA583310AF0EAD89D7DEBB1213FAA7

    Additionally, run chkdsk on the affected system, it's possible the drive is "dirty".
     
  9. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,052
    Location:
    USA
    Ok, using the NIS-ESD-21.3.0.12-EN.exe file, sigcheck says it is unsigned.
    No logs that I have been able to find.
    I downloaded install_flashplayer14x32ax_mssd_aaa_aih.exe. The checksum is that same as you got, and the digital signature shows.
    On the laptop I have already run chkdsk and sfc, no changes.
     
  10. i_g

    i_g Registered Member

    Joined:
    Aug 30, 2006
    Posts:
    133
    The file has stuff appended to the signature (i.e. a post-signing modification). Did you enable the enhanced check associated with MS13-098 on your machine? If so, it's correct that the file isn't verified as signed - and it will be the same on other machines as well once the MS fix gets actually activated.
     
  11. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,052
    Location:
    USA
    I've haven't had time to verify but I think you just figured it out. I'll report back after I have had more time to look into it. Thanks.

    ---Yep, that was exactly it. I had forgotten I had even set that. I guess that leaves me to assume that Norton is doing something with these files they probably shouldn't be doing. Is there a good reason for it?
     
    Last edited: Jun 23, 2014
Loading...
Similar Threads
  1. waters
    Replies:
    4
    Views:
    682
Thread Status:
Not open for further replies.