Solved

Have questions about digital file signing and verification

Posted on 2011-03-06
6
992 Views
Last Modified: 2012-05-11
I have been trying to find some answers to some very simple questions, but I am having no luck. I am writing a program to help us identify potential viruses easily. I think I know the answer, but really need to verify that I am correct.
Here are the questions.

#1. I would assume that a virus writer could digitally sign their own file, but could they digitally sign it as Microsoft or some other legitimate company?

#2. Does a digitally signed file just guarantee that the file has not been altered or does it also guarantee that is is from the company it says its from?

#3. To summarize my questions, If a file passes verification using a tool like signtool.exe, does that guarantee it is not a virus or does that just mean that the file is unchanged and is from the company it says it's from?

Any other useful info or explanations would be greatly appreciated.
0
Comment
Question by:advcom
6 Comments
 
LVL 80

Accepted Solution

by:
David Johnson, CD, MVP earned 125 total points
ID: 35048018
The digital key like a https: certificate must be signed by a trusted certificate provide i.e. verisign . A virus writer would have to be very ingeneous to attempt to use someone elses key to sign their executable. getting the hash to match would be difficult to say the very least.

#2 it does both.

#3 it does not guarantee that the file/program does what you expect just that the author has signed the program and the trusted certificate provider believes that the author is who they say they are and that the file has not been modified.
0
 
LVL 10

Assisted Solution

by:abbright
abbright earned 125 total points
ID: 35053790
One short addition to #3: All is about trust. The signature verifies the origin of the file. If you trust that the originator does not write virus code then you can be sure that the file signed by it is not a virus.
0
 
LVL 2

Assisted Solution

by:Saikapian_4739
Saikapian_4739 earned 125 total points
ID: 35056744
Every thing you have said is totally correct, A digital certificate is a way to check the authenticity of any computer application whether it is web based on a window baesd.

Like you must be knowing about the SSL certificates associated with the Https sites  serve two purposes majorly first is that the communication should be secure and encrypted and second is that to test the authenticity of the Web server, so that the client can make sure that the server providing the information id In Fact what it should be.. Thats the case with Digital certificates in web application.

In Window based applications, a secure channel to encrypt to the communication isn't the issue as there is no communication. The concern here is that the client can make sure whether the software is from a genuine company and not fake.  For example when your Windows OS sees a MS software that is digitally signed by MS it tells you about that and when it finds some piece of software that it senses might be fake it pops you and warns about it saying that The software is not digitally signed.

The most common example of this if you try to install a driver which is not digitally signed by some company, the system warns you about it but if you ignore the warning and keep going with the installation it can work fine for you but the OS does not consider it secure for it.

Thanks
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 

Author Comment

by:advcom
ID: 35060679
One last question to sum this up. If I were to run a script that enumerates all files in system32 and drivers and then passes the file names to signtool.exe for verification and all the files show as verified, does this mean that all these DLL's and drivers are for sure not infected with a virus? I included a sample output of signtool, just for clarification of what I am doing. The reason I am doing this is that I have often found that  with many newer viruses, they infect atapi.sys,  cdrom.sys or some other system driver and it can be hard to detect. I was hoping this would be a solution to detecting those kinds of infections.
Verifying: c:\windows\system32\drivers\mup.sys

File is signed in catalog: C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\NT5.CAT

Hash of file (sha1): 174534160B5C14CB730F91CDC8FCDF443CF22A2C

Signing Certificate Chain:
    Issued to: Microsoft Root Authority
    Issued by: Microsoft Root Authority
    Expires:   Wed Dec 30 23:00:00 2020
    SHA1 hash: A43489159A520F0D93D032CCAF37E7FE20A8B419

        Issued to: Microsoft Windows Verification Intermediate PCA
        Issued by: Microsoft Root Authority
        Expires:   Sun Apr 25 23:00:00 2010
        SHA1 hash: 1C3245CA9517DDD6C95880F292DD85E2671CAE9E

            Issued to: Microsoft Windows Component Publisher
            Issued by: Microsoft Windows Verification Intermediate PCA
            Expires:   Wed Jun 10 14:07:51 2009
            SHA1 hash: 012CFCA4EEC7912F7F375A249EE9DE2D8E1AA363

The signature is timestamped: Sun Apr 13 18:07:47 2008
Timestamp Verified by:
    Issued to: Microsoft Root Authority
    Issued by: Microsoft Root Authority
    Expires:   Wed Dec 30 23:00:00 2020
    SHA1 hash: A43489159A520F0D93D032CCAF37E7FE20A8B419

        Issued to: Microsoft Timestamping PCA
        Issued by: Microsoft Root Authority
        Expires:   Sat Sep 14 23:00:00 2019
        SHA1 hash: 3EA99A60058275E0ED83B892A909449F8C33B245

            Issued to: Microsoft Timestamping Service
            Issued by: Microsoft Timestamping PCA
            Expires:   Tue Jun 12 16:04:51 2012
            SHA1 hash: F9B6EB0ACFFB8DC1B836EE16711BFF423CA1D573

Successfully verified: c:\windows\system32\drivers\mup.sys
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

Open in new window

0
 
LVL 10

Assisted Solution

by:lucius_the
lucius_the earned 125 total points
ID: 35062455
You have to note that, even if you do an automatic check on system files with this (btw, Windows OS does egzactly this by itself already) you do not gain much.

Why ? A malicious coder could mess with the trusted root certificates on the computer ifself, for example. So he could make another system file, sign it with it's own (self-issued) certificate and put that certificate in WCS in trusted root list. Your system will report that the signature is ok in such case, because it is, although the root cert is froad.

So, you need to approach this on many fronts and plug all holes to have the system secured. Today, many companies are realising this and starting to offer UTM (Unified Threat Management) solutions. All I can tell you is that it's much more complex than it seems at first. You can easily get yourself into a false feeling of protection with this approach...
0
 

Author Closing Comment

by:advcom
ID: 35078916
Thank you everyone for your input, very helpful.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
changing harddisk on computer in corporate 10 69
Logon script fails 23 45
Script to install exe on remote PCs in a domain 2 81
LOGINSERVER and nltest /dsgetdc 3 39
If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Worried about if Apple can protect your documents, photos, and everything else that gets stored in iCloud? Read on to find out what Apple really uses to make things secure.
This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question