There are pending changes forthcoming to significantly tighten security when executing digitally signed files in Protected mode. Anyhow...
Just a clarification, with default settings and in Protected mode, a signed malware (signature not found in the TPL) will be Guarded. And so, it will fail to totally infect the system. Am I correct?
For a file that meets or exceeds the digital signature requirements, at worst, you will get a User Session infection; once the system is rebooted malware cannot run and will remain inert on system unless the user manually navigates to the file and re-executes it.
The installer might be digitally signed, but if every file in the run sequence - including temp files - is not signed, then the installation will be blocked.
Files that can meet the signature requirements are generally PUPs\PUAs and that sort of rubbish. The real criminal malc0ders don't get involved with certificates because of the paper trail it leaves behind - but they do manage to steal them from time-to-time. It's not unheard of, but at the same time it isn't common enough to be worrisome.
But, still with default settings and in Protected mode, with a signed malware that has a signature found in the TPL, and that its processes in the run sequence are also signed (TPL), the malware will be able to completelly infect the system. Am I correct?
If malware is digitally signed with full, extended authenticode (every file in the install run sequence), the publisher is on the Trusted Publisher List, and the certificate passes verification - then yes - it will be able to install on the system, create autoruns and persist on the system. This type of malware represents a minuscule fraction of all malware and is quite rare. The certificates very often are quickly revoked.
You can manage the Trusted Publisher List. Some users just keep Microsoft and Blue Ridge Networks in their TPL. However you decide to manage the TPL, digitally signed malware of the truly dangerous kind is not statistically relevant. You also have the option of running AppGuard in Locked Down mode which disables the Trusted Publisher List and further restricts Microsoft signed files.
* * * * *
I hate to be the one to burst your bubble, but if a malware - for example - that is digitally signed, co-signed by Microsoft with an Extended Validation certificate is executed on your system then it is going to sail right past Kaspersky and Hitman.Pro - and any other security soft of the antivirus\internet security type. Security softs don't monitor every single file on your system - in case you didn't know that - and they all whitelist files based upon digital certificates. That's why it's important to use much more restrictive protections such as software restriction policies.
You have a much higher probability of walking out your door and getting struck by lightning twice than getting smacked with a full Microsoft authenticode malware.
