Modified Trusted file still rated as Trusted

V12.2.2.7036 (Firewall only) Windows 7 Ultimate 64-bit

For some testing purposes I had to “modify” a trusted executable.
After running that modified file I found it rated as trusted in File List.

I would expect it to be Unrecognized or maybe Malicious.


The modified executable got rated as Trusted by “Cloud Lookup” which was enabled when the file was ran.
When Cloud Lookup is disabled the modified executable gets rated as Unrecognized and runs Virtually.

It seems the modified file is known in the Cloud Lookup database.

So all good then, no issue.

So the original file was signed and modifying it removed the signature. Is that what happened? And somehow the cloud OK’d the unsigned file.

Yes, that’s exactly what happened. I reproduced it multiple times and each time the modified file got trusted by Cloud Lookup.
I’m still a bit surprised by this though.

So a valid question would be: Does Cloud Lookup database contains both signed trusted and unsigned trusted files?
If so, then everything is fine. :slight_smile:

To answer the question myself:

Yes it does. In this particular case both the original signed file and the modified unsigned file are rated as trusted by the Cloud Lookup.

Thanks go to @Ploget for helping closing the circle in this case. :slight_smile: