Security Softwares and Certificates

Discussion in 'other anti-malware software' started by moredhelfinland, Jun 11, 2021.

  1. moredhelfinland

    moredhelfinland Registered Member

    Joined:
    Mar 31, 2009
    Posts:
    85
    Location:
    Finland
    Hello,
    Some security softwares (i think) auto-allow when a software is digitally signed by a trusted vendor and it is on their trusted certificate list. Someone might call this some kind of a whitelist.

    However there are some malwares that is signed(stolen) by a trusted certificate vendor, for example, some malwares are signed by Comodo CA.

    So, if i'm using comodo product(s) and i run malware .exe which is signed by Comodo CA certificate, so can it run and do its malicious activities.

    Is there a way to check certificate authentication, parent signer, digital fingerprint etc that its really legit and not stolen?
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,322
    Location:
    U.S.A.
    The mechanism to do this is that that the issuing certificate CA revokes the certificate. Until that is done, the certificate is still considered valid.

    Also, everyone's worse certificate nightmare is when a kernel mode driver certificate is stolen.
     
  3. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    3,776
    Location:
    Nebraska, USA
    Kinda, sorta, but not really.

    That is, just because a certificate "appears" to be valid, that does not mean your security software is automatically going to let it through (auto-allow). The file/code is still going to be inspected and evaluated for malicious and suspicious code, and the program's "behavior" is still going to be analyzed for malicious or suspicious activity.

    I am just saying there are several hurdles a bit of malicious code has to jump over first before it can wreck havoc - assuming we keep our OS and security software current.
     
  4. moredhelfinland

    moredhelfinland Registered Member

    Joined:
    Mar 31, 2009
    Posts:
    85
    Location:
    Finland
    So, a signed malware can run, because of "sort of" but "not really" ?
    Is there any way to prevent this behavior? Certificate whitelistin does not work?
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,269
    Location:
    Slovenia
    It depends on software. Some have this option other not. But as said before malware might be able to start if signed, but it could still be monitored and stopped later if AV finds suspicious activity.
     
  6. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    3,776
    Location:
    Nebraska, USA
    Huh? Nobody said it can run. In fact, I said just the opposite.

    I said it likely will be blocked (even with a fake cert) because of other indicators (malicious or suspicious code or behavior) that most likely will be detected by your security solution.

    I'll say it again,
     
  7. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    6,246
    Location:
    USA
    A valid certificate is not an automatic pass. We sign our software with a valid certificate and it is still about a week after we release a new version that customers stop having problems with AV software deleting the file after downloading.
     
  8. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    3,776
    Location:
    Nebraska, USA
    Exactly!
     
  9. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,269
    Location:
    Slovenia
    We had similar problems with our software so decided to contact vendors which frequently caused problems. Now those problems don't happen often any more.
     
  10. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    6,246
    Location:
    USA
    It seems a lot of the vendors have ended the programs where they do that. We had attempted to reach out to Norton as one of the biggest offenders and they had shut their program down leaving us with no way to submit samples to them.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,004
    Location:
    The Netherlands
    Yes it depends on the software, because for example SpyShelter will auto-allow signed software to perform certain operations if it's configured in a certain way. So it's always a risk if the software is compromised like what happened with CCleaner, or if malware manages to hijack legit certficates.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.