asked on

Have questions about digital file signing and verification

I have been trying to find some answers to some very simple questions, but I am having no luck. I am writing a program to help us identify potential viruses easily. I think I know the answer, but really need to verify that I am correct.
Here are the questions.

#1. I would assume that a virus writer could digitally sign their own file, but could they digitally sign it as Microsoft or some other legitimate company?

#2. Does a digitally signed file just guarantee that the file has not been altered or does it also guarantee that is is from the company it says its from?

#3. To summarize my questions, If a file passes verification using a tool like signtool.exe, does that guarantee it is not a virus or does that just mean that the file is unchanged and is from the company it says it's from?

Any other useful info or explanations would be greatly appreciated.

ASKER CERTIFIED SOLUTION

David Johnson, CD

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

SOLUTION

abbright

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

SOLUTION

Saikapian_4739

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

advcom

ASKER

One last question to sum this up. If I were to run a script that enumerates all files in system32 and drivers and then passes the file names to signtool.exe for verification and all the files show as verified, does this mean that all these DLL's and drivers are for sure not infected with a virus? I included a sample output of signtool, just for clarification of what I am doing. The reason I am doing this is that I have often found that with many newer viruses, they infect atapi.sys, cdrom.sys or some other system driver and it can be hard to detect. I was hoping this would be a solution to detecting those kinds of infections.

Verifying: c:\windows\system32\drivers\mup.sys

File is signed in catalog: C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\NT5.CAT

Hash of file (sha1): 174534160B5C14CB730F91CDC8FCDF443CF22A2C

Signing Certificate Chain:
    Issued to: Microsoft Root Authority
    Issued by: Microsoft Root Authority
    Expires:   Wed Dec 30 23:00:00 2020
    SHA1 hash: A43489159A520F0D93D032CCAF37E7FE20A8B419

        Issued to: Microsoft Windows Verification Intermediate PCA
        Issued by: Microsoft Root Authority
        Expires:   Sun Apr 25 23:00:00 2010
        SHA1 hash: 1C3245CA9517DDD6C95880F292DD85E2671CAE9E

            Issued to: Microsoft Windows Component Publisher
            Issued by: Microsoft Windows Verification Intermediate PCA
            Expires:   Wed Jun 10 14:07:51 2009
            SHA1 hash: 012CFCA4EEC7912F7F375A249EE9DE2D8E1AA363

The signature is timestamped: Sun Apr 13 18:07:47 2008
Timestamp Verified by:
    Issued to: Microsoft Root Authority
    Issued by: Microsoft Root Authority
    Expires:   Wed Dec 30 23:00:00 2020
    SHA1 hash: A43489159A520F0D93D032CCAF37E7FE20A8B419

        Issued to: Microsoft Timestamping PCA
        Issued by: Microsoft Root Authority
        Expires:   Sat Sep 14 23:00:00 2019
        SHA1 hash: 3EA99A60058275E0ED83B892A909449F8C33B245

            Issued to: Microsoft Timestamping Service
            Issued by: Microsoft Timestamping PCA
            Expires:   Tue Jun 12 16:04:51 2012
            SHA1 hash: F9B6EB0ACFFB8DC1B836EE16711BFF423CA1D573

Successfully verified: c:\windows\system32\drivers\mup.sys
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

Open in new window

SOLUTION

lucius_the

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

advcom

ASKER

Thank you everyone for your input, very helpful.