Advice Request Glasswire's SHA-256 hash doesn't match the one listed on their website

Please provide comments and solutions that are helpful to the author of this topic.

artek

Level 5
Thread author
Verified
May 23, 2014
236
Can anyone else test this? I went to download glasswire from the official glasswire site and the install file isn't digitally signed and the SHA-256 hash doesn't match the one listed on their website. In addition to this, Edge warns about the file being not commonly downloaded. I seem to remeber glasswire always being digitally signed so this is pretty weird. The install file from virustotal:

SHA-256: a693c2c6d577eaf5e4d36b0195e449b2840710aa0c14fce282fa1f459b3d9e6d



Screenshot 2023-04-07 195923.jpg
 
Last edited:

a090

Level 2
Mar 26, 2023
67
I guess the question now is if the developers modified the installer and forgot to update the hash or is this a supply chain attack?

Might want to email their devs and give ‘em a wake-up call. Their software should be signed. Strike 1. Their installer hash should match up with the site. Strike 2. And Strike 3 might be malware in that unverified installer. I wouldn’t risk it.
 

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
845
From website downloaded version just this minute: Version 3.3.499, 71.6MB

Name: GlassWireSetup.exe
Size: 75102008 bytes (71 MiB)
SHA256: 97408cde74d2889cfc260ee854cdbd4a523f3367f589a28acfacb93d3a66704d

7ZIP SHA-256 check. Does that work?
 

artek

Level 5
Thread author
Verified
May 23, 2014
236
Might want to email their devs and give ‘em a wake-up call. Their software should be signed. Strike 1. Their installer hash should match up with the site. Strike 2. And Strike 3 might be malware in that unverified installer. I wouldn’t risk it.
I made a post on their support forums. I didn't see a contact email when I initially looked.

From website downloaded version just this minute: Version 3.3.499, 71.6MB

Name: GlassWireSetup.exe
Size: 75102008 bytes (71 MiB)
SHA256: 97408cde74d2889cfc260ee854cdbd4a523f3367f589a28acfacb93d3a66704d

7ZIP SHA-256 check. Does that work?

That's different from the one I got and also different from the SHA-256 hash listed on their site. That's very strange.
 

TairikuOkami

Level 36
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,540
File is not signed
That is the red flag right there. While the files inside are properly signed, the installer could include anything. They have most likely uploaded the unsigned exe instead of the correct one?

The external link on Softpedia contains the proper version, digitally signed, the hash matches.
P.S.: So much for trusting the downloads from devs homepage. :sneaky:
 
Last edited:

Freki123

Level 16
Verified
Top Poster
Aug 10, 2013
753
Where can I see that the file is not signed right (Other than VT)? VS said the signing is ok and I thought I understood the text in the "digital signature tab" right. Or am I just looking at the wrong tab? bea171aff7e78609171a701f0a54ad1b76128e530f8098333b42b69ec5699a14 download 06.04.2023
VT says unsigned, VS says signing ok. I'm confused now :D

1Untitled.jpg
 
Last edited:
  • Like
Reactions: oldschool

Freki123

Level 16
Verified
Top Poster
Aug 10, 2013
753
You need a dedicated hash app, but apps like 7-zip or winrar include CRC check.
Thanks for the answer. So what windows shows you under property's: "digital signature" is pretty much useless and you would have to use a dedicated hash app to recheck if the file is signed right?
edited
 
  • Like
Reactions: oldschool

artek

Level 5
Thread author
Verified
May 23, 2014
236
Where can I see that the file is not signed right (Other than VT)? VS said the signing is ok and I thought I understood the text in the "digital signature tab" right. Or am I just looking at the wrong tab? bea171aff7e78609171a701f0a54ad1b76128e530f8098333b42b69ec5699a14 download 06.04.2023
VT says unsigned, VS says signing ok. I'm confused now :D

View attachment 274333

Thanks for the answer. So what windows shows you under property's: "digital signature" is pretty much useless and you would have to use a dedicated hash app to recheck if the file is signed right?
edited

Mine doesn't show the digital signature tab.

Screenshot 2023-04-08 10445921.jpg


And edge still alerts me on download.

smartscreen.jpg
 

TairikuOkami

Level 36
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,540
So what windows shows you under property's: "digital signature" is pretty much useless and you would have to use a dedicated hash app to recheck if the file is signed right?
No. What OP is referring to is a hash signature, every file has it. If the hash is the same, it proves that the file was not altered, but not really, who made it.
Digital signature verifies, if the file was signed with the proper certificate authority like TLS on webpages and as such proves that the file is genuine even without a file hash.
The file from the glasswire does not have a digital signature at all compared to the one on softpedia and it will not run on my system, it is unsigned, like Smart App Control checks.
 

Attachments

  • capture_04082023_163011.jpg
    capture_04082023_163011.jpg
    83.3 KB · Views: 108

artek

Level 5
Thread author
Verified
May 23, 2014
236
The
No. What OP is referring to is a hash signature, every file has it. If the hash is the same, it proves that the file was not altered, but not really, who made it.
Digital signature verifies, if the file was signed with the proper certificate authority like TLS on webpages and as such proves that the file is genuine even without a file hash.
The file from the glasswire does not have a digital signature at all compared to the one on softpedia and it will not run on my system, it is unsigned, like Smart App Control checks.
Are other people getting a version without a digital signature as well? After the 3CX supply chain attack, I enabled the registry fix for the "WinVerifyTrust Signature Validation Vulnerability." This might explain why I'm not seeing a digital signature on the executable. But again, I don't understand posting a file hash on the download page when none of our downloads match the hash listed by them.



-edit-

I just tested the file on softpedia and it shows a digital signature for me in windows. It also shows the correct file hash of 916cd2f3ed8b599f7ace7639dc6763b272fdb21805f33da5b72b446899aa1c22. So, the registry tweak does not seem to be the culprit here.

It's just the download hosted on the main glasswire website that is modified.
 
Last edited:

Freki123

Level 16
Verified
Top Poster
Aug 10, 2013
753
I just downloaded the gw setup from their homepage two mins ago. I get the same file I got two day ago.
I get SHA-256: bea171aff7e78609171a701f0a54ad1b76128e530f8098333b42b69ec5699a14 when I check it on VT.
And for that file I thought if they say "The digital signature is ok" (arrow on the right side) that it would mean that the file was signed? // While VT says it's unsigned.
Sorry for not explaining what I meant in a more clear way.

Btw I wrote support about the hash/signature problem. But since it's weekend I wouldn't expect an answer soon.
2Untitled.jpg
@TairikuOkami
Thanks for the links. What I meant was the digital signature of the SHA-256: bea171aff7e78609171a701f0a54ad1b76128e530f8098333b42b69ec5699a14. To the best of my knowledge I think it's valid despite what VT says.U3ntitled.jpg
 
Last edited:

artek

Level 5
Thread author
Verified
May 23, 2014
236
I just downloaded the gw setup from their homepage two mins ago. I get the same file I got two day ago.
I get SHA-256: bea171aff7e78609171a701f0a54ad1b76128e530f8098333b42b69ec5699a14 when I check it on VT.
And for that file I thought if they say "The digital signature is ok" (arrow on the right side) that it would mean that the file was signed? // While VT says it's unsigned.
Sorry for not explaining what I meant in a more clear way.

Btw I wrote support about the hash/signature problem. But since it's weekend I wouldn't expect an answer soon.
View attachment 274347
@TairikuOkami
Thanks for the links. What I meant was the digital signature of the SHA-256: bea171aff7e78609171a701f0a54ad1b76128e530f8098333b42b69ec5699a14. To the best of my knowledge I think it's valid despite what VT says.View attachment 274368

I wonder why you're getting a signed file but me and @TairikuOkami are not.
 

Freki123

Level 16
Verified
Top Poster
Aug 10, 2013
753
No clue sorry. One thing it could be I got bea171aff7e78609171a701f0a54ad1b76128e530f8098333b42b69ec5699a14 as a download result while the op got a693c2c6d577eaf5e4d36b0195e449b2840710aa0c14fce282fa1f459b3d9e6d (at lest that's the way I understood it). Bonus fun fact: When I did the following changed to the windows signature check the files that were labeled before as signed are now labeled as not signed anymore :D

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"

With that being said I will wait for the support answer. It gets to confusing for me now :D
 

artek

Level 5
Thread author
Verified
May 23, 2014
236
No clue sorry. One thing it could be I got bea171aff7e78609171a701f0a54ad1b76128e530f8098333b42b69ec5699a14 as a download result while the op got a693c2c6d577eaf5e4d36b0195e449b2840710aa0c14fce282fa1f459b3d9e6d (at lest that's the way I understood it). Bonus fun fact: When I did the following changed to the windows signature check the files that were labeled before as signed are now labeled as not signed anymore :D

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"

With that being said I will wait for the support answer. It gets to confusing for me now :D
That's what I thought in the beginning, that it might be that registry tweak, but I was unsure when another user reported it as also being unsigned.
 

artek

Level 5
Thread author
Verified
May 23, 2014
236
Another glasswire user just reported the file that he downloaded was not signed. What are the chances that all three of us have that registry tweak?
 

Freki123

Level 16
Verified
Top Poster
Aug 10, 2013
753
What are the chances that all three of us have that registry tweak?
I can't answer that part. I can only tell you that I have some files (e.g game installer) that were counted as signed and after I applied the "registry fix" the "digital signatures" tab was gone. So before the "tweak" windows treated them as signed and afterwards they were not signed anymore for windows.

Quotes from it:
However, as we worked with customers to adapt to this change, we determined that the impact to existing software could be high. Therefore, Microsoft no longer plans to enforce the stricter verification behavior as a default requirement. The underlying functionality for stricter verification remains in place, however, and can be enabled at customer discretion.

Is there any possibility of a signature being recognized as non-compliant with the stricter verification process if I sign using non-Microsoft-provided signing tools?
Yes. For customers opting to enable the stricter verification behavior, signing binaries with non-Microsoft-provided signing tools runs the risk of signatures being recognized as non-compliant with the stricter verification behavior. Using Microsoft products, or signature tools Microsoft provides, such as signtool.exe, helps to ensure that signatures are recognized as compliant.

Tldr: My guess is the check is quite strict and some publisher never followed the recommendations to pass that strict checks.
 

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
661
Depending on whether you download the file from here: Free Firewall Software by GlassWire
Or from here: GlassWire Software Version Changes List

You will either get one that matches the hash or one that does not match.

The only significant difference between both files is tracking information in the installer that shows up as not signed on VT:
campaignid_glasswire.png


Putting the tracking info into installers is common practice. Doing so in the certificate structure does not break the signer information for most systems. The only systems where that is broken is when you enabled strict signature enforcement in the registry which some of you have done.

More info about that is here: Caveats for Authenticode Code Signing - IEInternals - Site Home - MSDN Blogs

Now it seems to me that all this is on purpose. GlassWire cannot provide correct hashes AND at the same time store tracking information. So they decided to put different installers on their pages in the hopes that the ones checking the hash will use the download button on the hash page.

For all I know both files are clean, but I would still use the one from this site: GlassWire Software Version Changes List
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top