Signed Malware & Antivirus Detection

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
Many AVs seem to give signed malware a pass. What solutions have you adopted for this attack vector ? Is there a second opinion AV which ignores the ‘signed’ ?
 
  • Like
Reactions: Sunshine-boy

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,814
As Cruelsister said:
Note that the bulk of signed malware will be from some inconsequential publisher that will be from some fly-by-night Mook and would NEVER (never ever) make it to any TVL list.
Just because a malware sample is signed doesn't mean it's signed with a certificate from a trusted vendor, so If you're using a Comodo product that uses the Trusted Vendors List, signed malware isn't something you should be concerned about. High-quality certificates from vendors on the TVL are far too costly and difficult for most blackhats to get their hands on and too useful to waste on the general populace.
 
Last edited:

RoboMan

Level 34
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,399
Signatures nowadays are BS. Everybody can get one. That's why anti-executables and antivirus with AC modules generate a trusted vendor list, which will work as a guarantee of which signed software can be run. Of course this doesn't cover when a trusted vendor gets hacked (such as Avast with CCleaner), and this could be avoided by not trusting any signature, wether it's a trusted vendor or not. Nevertheless, the CCleaner's kind of attack is unpredictable and will probably catch you. There's no way any software can prevent that.
 
F

ForgottenSeer 69673

If the digital signature is in the trusted vendor list, comodo will let it run even if you disable the cloud lookup.
This didn't stop CS from bypassing Appguard but she was running in protected mode and had access to one of the trusted vendors cert and didn't set up any other options. I always run in locked down mode with other settings.
 

imuade

Level 12
Verified
Top Poster
Well-known
Jul 29, 2018
566
As Cruelsister said:

Just because a malware sample is signed doesn't mean it's signed with a certificate from a trusted vendor, so If you're using a Comodo product that uses the Trusted Vendors List, signed malware isn't something you should be concerned about. High-quality certificates from vendors on the TVL are far too costly and difficult for most blackhats to get their hands on and too useful to waste on the general populace.
Take this example
https://malwaretips.com/threads/signed-malware-25-12-2018.88860/
The digital signature belongs to Skype technologies. Do you think Skype technologies isn't included in comodo TVL ?
Then, if that signed malware downloads another unsigned exe, the security product can block it, but the original signed exe will run freely
 

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,814
Take this example
https://malwaretips.com/threads/signed-malware-25-12-2018.88860/
The digital signature belongs to Skype technologies. Do you think Skype technologies isn't included in comodo TVL ?
Then, if that signed malware downloads another unsigned exe, the security product can block it, but the original signed exe will run freely
True, but there's still three things that can stop this kind of malware:
  1. If the certificate is revoked then Comodo will block/sandbox it regardless of if the certificate is from a vendor on the TVL
  2. Comodo's cloud database, which assigns each file a trust rating. If it's rated as malicious it'll be quarantined regardless of the certificate
  3. Viruscope, which will conduct behavioural analysis and quarantine anything that it determines as malicious
Add to the fact that a lot of people run Comodo Firewall alongside an AV - which has the opportunity to detect it as well - and it's still not something I'd worry about. But hey, if anyone's still concerned they can easily mass-delete vendors from the TVL (and turn off cloud rating lookup if they're worried about whitelisted malware).
 
Last edited:
  • Like
Reactions: kylprq and notabot

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
Signatures nowadays are BS. Everybody can get one. That's why anti-executables and antivirus with AC modules generate a trusted vendor list, which will work as a guarantee of which signed software can be run. Of course this doesn't cover when a trusted vendor gets hacked (such as Avast with CCleaner), and this could be avoided by not trusting any signature, wether it's a trusted vendor or not. Nevertheless, the CCleaner's kind of attack is unpredictable and will probably catch you. There's no way any software can prevent that.

This is exactly the type of attack I’m looking to eliminate though - so in a sense I’m looking for software which won’t follow a whitelist approach for something like this
 

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,814
This is exactly the type of attack I’m looking to eliminate though - so in a sense I’m looking for software which won’t follow a whitelist approach for something like this
You could run VoodooShield with these two options disabled:
Untitled.png
This way you'll have to approve the execution of absolutely every application on your system besides Windows components used to run the OS.
I used to run VS like this but it caused way too much irritation for whatever added protection it gave. If you're fine with dealing with a lot of prompts then feel free to give it a go.
 
  • Like
Reactions: MikeV and RoboMan

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
You could run VoodooShield with these two options disabled:
View attachment 204331
This way you'll have to approve execution of absolutely every application on your system besides Windows components used to run the OS.
I used to run VS like this but it caused way too much irritation for whatever added protection it gave. If you're fine with dealing with a lot of prompts then feel free to give it a go.

Thanks - the too many prompts bit is a no go unfortunately, for the same reasons as you I’ll need to pass on this setup
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
Signatures nowadays are BS. Everybody can get one.
True, it is basically the matter of money, which hackers have. Interestingly, most of those valid signatures are issued by Comodo. Still, there is only a handful of signed malware, most with invalid or outdated certificates, so blocking an unsigned malware works pretty effectively, for now.
 

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,814
Thanks - the too many prompts bit is a no go unfortunately, for the same reasons as you I’ll need to pass on this setup
Disabling just the digital signature option isn't too bad; you get far less prompts than disabling both. It'd mean that anything inside your Program Files folders would be allowed to run freely but anything outside - including executables related to those applications inside the Program Files folders - would trigger a prompt. (Some applications like Discord or Spotify run from AppData so it'd be those that mainly trigger prompts.)
 
Last edited:

imuade

Level 12
Verified
Top Poster
Well-known
Jul 29, 2018
566
True, but there's still three things that can stop this kind of malware:
  1. If the certificate is revoked then Comodo will block/sandbox it regardless of if the certificate is from a vendor on the TVL
  2. Comodo's cloud database, which assigns each file a trust rating. If it's rated as malicious it'll be quarantined regardless of the certificate
  3. Viruscope, which will conduct behavioural analysis and quarantine anything that it determines as malicious
Add to the fact that a lot of people run Comodo Firewall alongside an AV - which has the opportunity to detect it as well - and it's still not something I'd worry about. But hey, if anyone's still concerned they can easily mass-delete vendors from the TVL (and turn off cloud rating lookup if they're worried about whitelisted malware).
1. I don't think so, everything in the TVL or trusted by the user can run freely
2. If the file is on TVL or trusted by the user, it won't be checked on cloud
3. Only if you set Viruscope to check files outside the sandbox too

Edit: Trusted Vendors, PC Firewall, Internet Protection | Internet Security Help

If the vendor is on the 'Trusted Software Vendor List 'AND the user has enabled 'Trust Applications signed by Trusted Vendors' in the 'File Rating Settings' panel, THEN the application will be trusted and allowed to run.
 
Last edited:
  • Like
Reactions: notabot

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top