unsigned drivers windows

This is a general question because I am having issues installing some software and windows is complaining that the drivers are not signed.

When installing a program does windows check that all files are digitally signed or just certain file extensions associated with drivers? EXE, SYS, DLL, INF, OCX, VXD

Does windows only allow digital signatures from Microsoft or is a valid signature from any company accepted? I ran sigverif and all my drivers are signed by Microsoft which means there has been some testing from Microsoft.

What is the easiest method to verify if a file is digitally signed and if windows should be allowing the files to be used in the installation? Since the files are not allowed to be installed I don't see how sigverif could be used.

What is the default action in Windows for unsigned files?

Thanks
Dragon0x40Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Vadim RappCommented:
Here's how it works. The following is only my own view based on my experience, and probably many people will disagree, especially those affiliated with Microsoft.

Let's say, you have obtained an executable that you are going to run in Windows. Now you have the dilemma: can you trust the author of this executable that it won't hurt your system?

1. if you know the vendor, such as you have been in personal contact with them, and they sent you the installation, then you probably trust him basing on your own personal experience, and nothing else is required. You run the executable he sent, believing that he is good guy. He might have signed his software, but it does not matter for you.

Certificate also confirms that the executable itself has not been tampered with. However, it's hard to imagine how and by whom it might be tampered with on its way from the vendor to you.

2. if you don't know the vendor, then you usually rely on the digital certificate attached to the executable. What does the certificate say? it says that the vendor have paid couple of hundred dollars to certain third party, Certifying Authority. Depending on that authority, it's possible that in order to purchase the certificate the vendor had to present some credentials, such as perhaps his business registration with Dan and Bradstreet - which, however, in turn, means nothing else but that he also paid yet another $$$ to Dan and Bradstreet. That certificate does not mean that anybody has inspected this software and assured that it complies with industry standards etc etc.

Windows comes with predefined set of certificates from top-level certifying authorities, which means that you are supposed to trust them that whatever they have signed is harmless. You don't know those authorities, you don't know their criteria of trust, and you don't know why and how Microsoft has decided to trust them.

So, I wouldn't be concerned about whether the files you are going to run are signed or not. That's not what matters, and there are more than enough really harmful malware that is properly signed - buy any new computer, and right out the box your system tray is full of already-installed "value-added" software, all of which are digitally signed, but for all practical purposes are viruses.

> all my drivers are signed by Microsoft which means there has been some testing from Microsoft

I remember couple of years ago new version of NVidia display driver became incompatible with Windows Remote Desktop. You installed it, and remote desktop wouldn't work. Not only it was signed by Microsoft, but Microsoft continued to sign new versions of the drivers while this problem was already known but still not fixed in those new versions.
0
McKnifeCommented:
To add more facts: drivers need to be signed on windows 64 bit. In win7, we could set windows to a mode where this requirement is ignored. Since windows 8, we cannot access that mode anymore, which means no unsigned drivers will ever install.

Since some software vendors use virtual device devices (that come with virtual drivers) for some functions, they need to sign their drivers or their software will not run.
0
Dragon0x40Author Commented:
Hi Vadim,

I asked a few very specific questions about how digital signatures work in Microsoft Windows and I don't believe you addressed any of the questions.

The system has flaws as you have pointed out but I need to know how the system works or is supposed to work from both a software company and an end user perspective.

If you don't enforce digital signatures because you don't believe they are valid then what specific configuration do you make to your computers or do you leave them at the Windows default?

Thanks
0
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

Dragon0x40Author Commented:
Hi McKnife,

The mode for installing unsigned drivers in windows 7 is set using bcdedit?

How do I test to see if the files are digitally signed or if Microsoft Windows is incorrectly flagging them as unsigned?

The default for windows 7 and windows 8 are to require digital signature for drivers?

Thanks
0
McKnifeCommented:
Looking at the method again, I noticed, it is still possible with win8.x, what I confused was: with win8.x we cannot set this permanently using bcdedit, but just for one boot as shown here: http://www.howtogeek.com/167723/how-to-disable-driver-signature-verification-on-64-bit-windows-8.1-so-that-you-can-install-unsigned-drivers/

"How do I test to see if the files are digitally signed or if Microsoft Windows is incorrectly flagging them as unsigned?" - in the file properties, there's a detail tab and there, you can see digital signatures (if any is applied). Microsoft does not flag anything incorrectly - what do you mean?

"The default for windows 7 and windows 8 are to require digital signature for drivers?" - no, the default for x64 versions of win7/8.x is.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Vadim RappCommented:
> When installing a program does windows check that all files are digitally signed or just certain file extensions associated with drivers? EXE, SYS, DLL, INF, OCX, VXD

Only executable files, including also .jar (Java) , plus .cab

> Does windows only allow digital signatures from Microsoft or is a valid signature from any company accepted? I ran sigverif and all my drivers are signed by Microsoft which means there has been some testing from Microsoft.

It accepts certificate it trusts, which means that it's issued by certification authority that is either among root certification authorities trusted by Microsoft, or is trusted by already-trusted authority, building a chain of trust.

> What is the easiest method to verify if a file is digitally signed and if windows should be allowing the files to be used in the installation? Since the files are not allowed to be installed I don't see how sigverif could be used.

The recommended tool is signtool, https://msdn.microsoft.com/en-us/library/aa387764.aspx

However, it's not enough to just sign. Anybody can produce their own certificate and sign with it ("self-signed"). Windows will install only what is signed by certificates issued by authorities it trusts, defined as above. Note that you can install any other party's certificate and trust it - such as in my first post, your trusted developer can produce self-signed certificate, give it to you, you install it as trusted for your one computer or whole organization, and it will work.

> What is the default action in Windows for unsigned files? -

mcKnife already answered.
0
Dragon0x40Author Commented:
I assume the server versions of windows follow the same rules.

Is it only certain file extensions that have to be signed?

Does Microsoft have to be the signer or is there a list of authorized signers/verifiers?

What does signed mean? integrity and authentication or does it include any type of testing?
0
Vadim RappCommented:
> Is it only certain file extensions that have to be signed?
yes, only executable files


> Does Microsoft have to be the signer or is there a list of authorized signers/verifiers?
The signer can be any certificate-issuing authority whose certificate is trusted by the given system. You can see and manage the list of them following these steps:
https://msdn.microsoft.com/en-us/library/ms788967%28v=vs.110%29.aspx

Windows installation includes the initial list of root certificates issued by authorities Microsoft has chosen to trust, including Microsoft itself. That list is being periodically updated using Microsoft Update. Root authorities in turn can trust other authorities. Executable is trusted when chain of authorities who signed the certificate(s) ends up with an authority trusted by the system. For example, the executable will be trusted if it's signed by a certificate sold by Verisign because Verisign is one of the trusted root certificates, or by certificate issued by Uncle Joe's Garage, if Garage itself is trusted by Verisign to issue certificates (each certificate has "purposes", identifying what it's good for).

> What does signed mean? integrity and authentication or does it include any type of testing?
Integrity (the file is the same as when it was signed) and authentication (certificate tells who purchased the certificate applied to the executable). No testing.
0
Vadim RappCommented:
> No testing.

...that probably needs more clarification. Which authority imposes which demands on selling code-signing certificate depends on the authority and you'd have to do your own research to find out who demands what. Microsoft itself does perform some testing of its executables, but what exactly it entails and what it ensures, we don't know. Microsoft does not guarantee anything, this is in the product license. Other trusted authorities may have their own list of demands.

Let's pretend that your organization has decided to change this, and only install executables that have been verified by some very trusted party who does real testing you rely on. To enforce that, you would open MMC console as described in the link in my previous post, remove all existing trusted authorities, and instead put the certificate of your trusted party. Then Windows would ensure that you run only what was really tested (including Windows itself). Domain administrator can manage trust for the whole organization, by enrolling certificates of the parties the organization trusts, and un-enrolling those it does not.
0
Dragon0x40Author Commented:
looking at my system most .cab and .sys files have a digital signature tab and the certificate is from VeriSign Class 3

is there a way to see/modify which file types are verified during installation of a program? or is it pretty much you require all files to be signed or you don't?

the exe and msi for the installer both have the digital signature tab signed by VeriSign

the cabs are not signed

Makes me wonder how many companies actually enforce signed drivers or at least how many disable the feature during installations?
0
McKnifeCommented:
Let me ask: what is this question about? Why do you connect installations and signing? Are you worried that installations fail because of signing? Signing is a good thing, security-wise. Like written before, if virtual device drivers are installed as part of some software installation on an x64 system, those drivers need to be signed - that's all. if they are not, the installation will fail or at least we will have to turn of the requirement for driver signing as said before.
0
Vadim RappCommented:
Enforcement comes not from the file, but from Windows system component that is using the file. That component is making all decisions - what it will check for the signature and what it will not. So, if the component is driver installation framework, it checks the .cab for signature. But if the component is Windows Installer, it does not check the cab extracted from the msi if msi itself is already signed.

Software vendors can't disable signature requirement; the whole point is that Windows verifies if the installation can be trusted. If the installation was able to tell Windows "don't check me, just go and install", that would defy the whole idea.
0
Vadim RappCommented:
Do you have any other questions? Do you pretty much have the picture of how it all plays together?
0
Dragon0x40Author Commented:
I wanted to know how to determine if the software or Microsoft was not following industry practices when the software failed to install. Does MS make it too difficult for all software to sign drivers? Or are software developers not following industry best practices? How to know where to point the finger?
0
Vadim RappCommented:
> when the software failed to install.

How did it fail? what happened? any error messages? how do you know it's related to signing of the drivers?
0
Vadim RappCommented:
Any update?
0
McKnifeCommented:
Wow. Deleting this is a shame. Dragon0x40, please finish this.
0
Vadim RappCommented:
All initial questions received specific detailed answers. Split between https:#a40724909 and https:#a40724526
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.