Question MS system files report as unsigned

Please provide comments and solutions that are helpful to the author of this topic.

simmerskool

Level 35
Thread author
Verified
Top Poster
Well-known
Apr 16, 2017
2,445
I saw that Windows Firewall Control blocked outgoing file \system32\MoUsoCoreWorker.exe hash= 1641BC777962A0522E6C75641DBD2A0E72D84DCC3FC734B609ED51D5D027E1F7
VT reports it clean, published by MS but not signed. MS Update Session Orchestrator. I vaguely understood that older MS files were signed a different way, but this is supposedly a relatively recent MS file, so I would expect analysis to see it as digitally signed with valid signature. I did an internet search but did not find anything helpful to explain this. Does anyone have an explanation for this, and perhaps a link to an source for more info.
thanks.
 

Bot

AI-powered Bot
Apr 21, 2016
4,192
It's possible that the file might have been incorrectly flagged as unsigned due to a glitch or a bug in the system. You can try to verify the digital signature manually by right-clicking the file, selecting 'Properties', and then navigating to the 'Digital Signatures' tab. If the issue persists, consider updating your system or reinstalling the file. Here's a link to a Microsoft support thread discussing similar issues: Redirecting
 
  • Thanks
Reactions: simmerskool

simmerskool

Level 35
Thread author
Verified
Top Poster
Well-known
Apr 16, 2017
2,445
It's possible that the file might have been incorrectly flagged as unsigned due to a glitch or a bug in the system. You can try to verify the digital signature manually by right-clicking the file, selecting 'Properties', and then navigating to the 'Digital Signatures' tab. If the issue persists, consider updating your system or reinstalling the file. Here's a link to a Microsoft support thread discussing similar issues: Redirecting
thanks but, yes I did look at "properties" and it lists publisher as MS but not with a digital signature. I will look at the "redirecting" link you sent.
 

Bot

AI-powered Bot
Apr 21, 2016
4,192
thanks but, yes I did look at "properties" and it lists publisher as MS but not with a digital signature. I will look at the "redirecting" link you sent.
You're welcome! If the issue persists after checking the link, it might be worth reaching out to Microsoft Support directly. They should be able to provide more specific assistance.
 

simmerskool

Level 35
Thread author
Verified
Top Poster
Well-known
Apr 16, 2017
2,445
You're welcome! If the issue persists after checking the link, it might be worth reaching out to Microsoft Support directly. They should be able to provide more specific assistance.
the link you redirected me to is a MS link about SFC scans. this system has a no integrity violations.
 

Bot

AI-powered Bot
Apr 21, 2016
4,192
the link you redirected me to is a MS link about SFC scans. this system has a no integrity violations.
My apologies for the confusion. In this case, reaching out to Microsoft Support directly might be the best course of action. They can provide more specific guidance on your issue.
 

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,611
Well, 11 has 2 versions of this file, not in System32 though. One is bigger, maybe because of the included certificate, the smaller one is not signed, probably for compatibility purposes?

capture_09122024_224836.jpg
 

lokamoka820

Level 18
Mar 1, 2024
901
yes, I would just like to understand what is going on with this. maybe @Trident knows??
I guess you are using WFC in "Learning Mode", this mode will block connections generated by not digitally signed program or the signature is not valid, that why it is blocked MoUsoCoreWorker.exe, but why it is not signed, it is Microsoft related question which I don't have answer.
 

simmerskool

Level 35
Thread author
Verified
Top Poster
Well-known
Apr 16, 2017
2,445
I guess you are using WFC in "Learning Mode", this mode will block connections generated by not digitally signed program or the signature is not valid, that why it is blocked MoUsoCoreWorker.exe, but why it is not signed, it is Microsoft related question which I don't have answer.
WFC was in Medium filtering (recommended). running win10_VM. WFC blocked it (unsigned?) and then I allowed it, but then after the fact wanted to see what it was... originally I thought it was mouse... not mouso :ROFLMAO:
 

lokamoka820

Level 18
Mar 1, 2024
901
WFC was in Medium filtering (recommended). running win10_VM. WFC blocked it (unsigned?) and then I allowed it, but then after the fact wanted to see what it was... originally I thought it was mouse... not mouso :ROFLMAO:
I think what WFC missing is to add rules to allow all Windows system services to be able to connect to internet, whatever it is signed or not. It will be perfect then.
 
  • Like
Reactions: simmerskool

simmerskool

Level 35
Thread author
Verified
Top Poster
Well-known
Apr 16, 2017
2,445
I think what WFC missing is to add rules to allow all Windows system services to be able to connect to internet, whatever it is signed or not. It will be perfect then.
I think WFC includes / included all the default rules. I don't mind that WFC blocked mousocoreworker.exe if / since it is unsigned MS file. WFC blocked it with a popup asking whether to allow > block > or block this time.
 
  • Like
Reactions: lokamoka820

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,611
You can always restrict the process by IP ranges via port 443, it should connect to MS domains only.
Code:
4.224.0.0-4.239.255.255,13.64.0.0-13.107.255.255,20.33.0.0-20.128.255.255,40.74.0.0-40.125.127.255,40.126.128.0-40.127.255.255,51.10.0.0-51.13.255.255,51.103.0.0-51.105.255.255,51.124.0.0-51.124.255.255,52.96.0.0-52.115.255.255,52.145.0.0-52.191.255.255
 

Attachments

  • capture_09132024_080353.jpg
    capture_09132024_080353.jpg
    466.2 KB · Views: 34

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,911
I saw that Windows Firewall Control blocked outgoing file \system32\MoUsoCoreWorker.exe hash= 1641BC777962A0522E6C75641DBD2A0E72D84DCC3FC734B609ED51D5D027E1F7
VT reports it clean, published by MS but not signed. MS Update Session Orchestrator. I vaguely understood that older MS files were signed a different way, but this is supposedly a relatively recent MS file, so I would expect analysis to see it as digitally signed with valid signature. I did an internet search but did not find anything helpful to explain this. Does anyone have an explanation for this, and perhaps a link to an source for more info.
thanks.
@simmerskool did you check for Digital Signature of "MoUsoCoreWorker.exe" via Windows Explorer? take a look to screenshots below:

The file "MoUsoCoreWorker.exe" here seems digitally signed by MS => VirusTotal

#1.png#2.png
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,373
@simmerskool,

On older Windows builds that file is signed by Microsoft in the catalog (many system files are signed in this way). You can use the Microsoft signtool to verify the signature.

Here is the screenshot from Windows 10 22H2.

1726221191689.png


When the file is signed in the catalog, the certificate is not embedded in the executable, so it is not recognized as signed, by Explorer or Virus Total.
On Windows 11 23H2 the file is in another location ( c:\Windows\UUS\amd64\ ) and has an embedded certificate. It can be checked in Explorer (file Properties)

1726221821253.png
 
Last edited:

simmerskool

Level 35
Thread author
Verified
Top Poster
Well-known
Apr 16, 2017
2,445
@simmerskool did you check for Digital Signature of "MoUsoCoreWorker.exe" via Windows Explorer? take a look to screenshots below:

The file "MoUsoCoreWorker.exe" here seems digitally signed by MS => VirusTotal

View attachment 285463View attachment 285464
@silversurfer thanks for sending this... BUT when I open explorer | Properties for mousocoreworker there is no tab "digital signature" for this file!
VT says it is NOT signed; however sigcheck (sysinternals) does not list as unsigned, ergo signed. Also sfc /scannow of this VM does not find any integrity violations. I feel like Robby the Robot "shoot the commander" (or to be or not to be)... I again uploaded the file to VT which reports that it is NOT signed. so if anything, NOW should I be MORE concerned... :unsure:
 

Attachments

  • vt_snip1.PNG
    vt_snip1.PNG
    18.5 KB · Views: 15
  • vt_snip2.PNG
    vt_snip2.PNG
    22.9 KB · Views: 16

simmerskool

Level 35
Thread author
Verified
Top Poster
Well-known
Apr 16, 2017
2,445
@simmerskool,

On older Windows builds that file is signed by Microsoft in the catalog (many system files are signed in this way). You can use the Microsoft signtool to verify the signature.

Here is the screenshot from Windows 10 22H2.

View attachment 285465

When the file is signed in the catalog, the certificate is not embedded in the executable, so it is not recognized as signed, by Explorer or Virus Total.
On Windows 11 23H2 the file is in another location ( c:\Windows\UUS\amd64\ ) and has an embedded certificate. It can be checked in Explorer (file Properties)

View attachment 285466
thanks, so far I have run sigverif and sigcheck (sysinternals) on win10_vm Properties for this file does NOT have a "Digitial Signature" tab. Thanks for this info! I'll run signtool as you suggest!
EDIT: fyi signtool seems not be be installed, and looks like I'd need to install a Developer toolkit or something like that to the extent I follow that page, it seems to assume the reader is past that point in the discussion. But thanks, you confirmed what I vaguely understood... :D
 
Last edited:
  • Like
Reactions: Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top