Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
MS system files report as unsigned
Message
<blockquote data-quote="alexandrud" data-source="post: 1109058" data-attributes="member: 118371"><p>This is an interesting topic. In order to avoid signing tens of thousands of files, Microsoft decided to use a hack. Let's take as example the RDP client below:</p><p></p><p>[ATTACH=full]286395[/ATTACH]</p><p></p><p>The file itself does not have embedded any digital signature. WFC is using <strong>wintrust.dll </strong>(this one is signed for some reason) from Windows itself to verify if a file is digitally signed with a valid signature. You need to provide it a file path. The file is not signed, obviously, since Digital Signatures tab is missing from the file properties dialog. WFC will report correctly that the file is not digitally signed.</p><p></p><p>Now the hack from Microsoft. Even if you use <strong>signtool verify</strong>, the file appears as unsigned, which is again correct. But if you use the <strong>/a</strong> parameter, suddenly the file is verified. Attention, the word is <strong>verified</strong>, not <strong>digitally signed</strong>. </p><p></p><p><strong><span style="font-size: 15px">This only means that there is a catalog file where the hash of this file is contained and since the hash matches the provided file's hash, it must be the file which was indexed in the catalog file. It is verified, but not digitally signed.</span></strong></p><p></p><p></p><p>[ATTACH=full]286396[/ATTACH]</p><p>Going back to WFC, it can not distribute and use signtool.exe to verify if a file was added in a catalog file so that Microsoft recognizes it as valid file based on its hash. If WFC detects the file as unsigned, it means the file does not have embedded a digital signature, detected as this by Microsoft (wintrust.dll), not by WFC.</p></blockquote><p></p>
[QUOTE="alexandrud, post: 1109058, member: 118371"] This is an interesting topic. In order to avoid signing tens of thousands of files, Microsoft decided to use a hack. Let's take as example the RDP client below: [ATTACH type="full"]286395[/ATTACH] The file itself does not have embedded any digital signature. WFC is using [B]wintrust.dll [/B](this one is signed for some reason) from Windows itself to verify if a file is digitally signed with a valid signature. You need to provide it a file path. The file is not signed, obviously, since Digital Signatures tab is missing from the file properties dialog. WFC will report correctly that the file is not digitally signed. Now the hack from Microsoft. Even if you use [B]signtool verify[/B], the file appears as unsigned, which is again correct. But if you use the [B]/a[/B] parameter, suddenly the file is verified. Attention, the word is [B]verified[/B], not [B]digitally signed[/B]. [B][SIZE=4]This only means that there is a catalog file where the hash of this file is contained and since the hash matches the provided file's hash, it must be the file which was indexed in the catalog file. It is verified, but not digitally signed.[/SIZE][/B] [ATTACH type="full"]286396[/ATTACH] Going back to WFC, it can not distribute and use signtool.exe to verify if a file was added in a catalog file so that Microsoft recognizes it as valid file based on its hash. If WFC detects the file as unsigned, it means the file does not have embedded a digital signature, detected as this by Microsoft (wintrust.dll), not by WFC. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
