Certificate Analysis in CIS

Recently I have been doing tests on Comodo and discovered a few pieces of malware trusted by CIS. But upon further review of the certificate of the malware, I noticed that it had an invalid digital certificate. What I’m asking is that Comodo add an alert into the Defense plus to detect files that are trusted by CIS but have an invalid digital certificate, this would prevent hackers who have stolen old certificates from being trusted by Comodo.

Please report this as a bug as it needs serious discussion.


This isn’t really a bug but mostly a flaw in the over all trusted db of Comodo.

Here is an example of trusted Malware:

I don’t have the file anymore unfortunately. But this file is signed by a certificate that is trusted by Comodo but is invalid. I really think that Comodo should invest in certificate analysis.

Here is another example of trusted malware, this was when Opera’s code signing certificate was stolen by hackers.

There is a possibility that even though this file is detected by Comodo, because it is on the TVL it can get exempt from detection. I hope that a Comodo dev can look into this and potentially add certificate verification to CIS, this way invalid certificates can be blacklisted and reduce the chances of trusted malware being a big concern.

[attachment deleted by admin]

Some degree of certificate verification is done as I understand it. If you report this as a bug there will hopefully be a discussion about this which will help define what and under what circumstances

Up to you of course :slight_smile:


Yes this would be a good addition, make a poll for this, trusted malware by comodo isn’t the best thing, after reading this I start to not trust in comodo certification. Comodo should add this since is a good thing :-La

Good idea. But I don’t know how feasible this is.

I am quite surprised the trusted malware issue has not been rectified yet.
It has been going on for quite a long time now.It was bad enough that malware authors could obtain digital certificates which as was explained earlier is a flaw in the signing process.

Awful to think the product which we believe is protecting us is in fact allowing malware to be installed.
Hope this get fixed soon.

That signature seems to be valid, since it has a valid counter-signature, which is why VT says “Signed file, verified signature”.

But, it is using an expired digital certificate that if you check your TVL “Trend Media Corporation Limited” is listed there. What I’m saying is that Comodo should display an alert for Trusted vendors that have invalid certificates so that the user has some input as to where to truly trust the file.

Yes, the certificate expired in 2011. What does that mean? It means that after 2011-06-30 that certificate can no longer be used to sign code. But the code in question was signed 2010-08-09, when the certificate was valid, and it was counter-signed by a trusted CA, whose certificate is still valid. That’s what matters, not if Trend Media Corporation Limited’s certificate can still be used to sign code or not.

So, if Windows says that the signature is OK, and VT says “Signed file, verified signature”, there is no reason for CIS to object. Doing so would only cause lots of trouble, with perfectly legitimate (but old) applications, without improving security.

Your [url=https://www.virustotal.com/en/file/8ecbca0de44c82d1c7ffced288aa68c1247bb1255693cd1c5747fb6cef394b43/analysis/]other sample[/url] is different, though. It has not been counter-signed and VT says “Signature verification Certificate out of its validity period”.

CIS does not trust a vendor unless its code-signing-certificate has been counter-signed by a trusted CA (source).

I am also convinced that Windows will say that that signature is not OK.

Thank you JoWa, I wasn’t fully aware of the counter signing part of Signing files. But what I’m wondering is that if a hacker were to steal a Trusted Vendors digital certificate, would it be trusted by Comodo? Or only if it has been counter signed? If it has to be counter signed first then I can restore my confidence in CIS.

I thought I had come up with a way to combat trusted malware but, apparently Comodo already has some ways of doing so :).

Look at the Opera case, their got stolen and (a) malware(s) were signed with it, CIS trusted it to my knowledge even though it was in the AV database because trusted files are excluded from the AV, it had to be removed from the trusted vendors to my knowledge.
But I may be wrong in this.

Your right trusted files are excluded from the av in Stateful mode, which some-what makes it harder to combat trusted malware.