Question About Signed Malware

adamos · July 2, 2013, 8:47pm

Hello all

Lately i have been seeing a lot activity in underground forums or not so underground (ex https://sites.google.com/site/pfxcert/ ) about signed malware.

I have some questions

1.These malware will NOT get sandboxed because they are signed by a trusted vendor right?If virus signature detection doesnt catch them we are completly open?

2.How can we protect against these type of malware using cis.

Thank you for your time

SanyaIV · July 2, 2013, 8:49pm

Yes.
Turn off TVL.

spywar · July 2, 2013, 8:50pm

Trusted vendor needs to be part of either local TVL or Cloud based TVL

adamos · July 2, 2013, 9:08pm

Does anyone know the way they sign the malware as legit apps.Or suggest me some reading about this?I mean an application from microsoft could only be singed by microsoft right?If someone else signed it should come out as false.How they bypass that

Solarlynx · July 3, 2013, 6:35am

Really, could someone explain the mechanism of signing?
Is signed infected file considered to be trusted or there some hash checking?

khanyash · July 3, 2013, 1:29pm

Does AV scans programs from trusted vendors?

Chiron494 · July 3, 2013, 3:49pm

No.

SanyaIV · July 3, 2013, 4:13pm

Not even after Database update?

So let me see if I got this straight, if for example Opera gets (as they recently did) their signing thingy stolen and then someone signs malware with Opera’s signature, then even if the malware is in the AV databse it will not be detected because the malware is signed by a trusted vendor? So Opera signature must be removed from TVL for the malware to be detected?

Is this also the case if you change AV from stateful to on-access?

Chiron494 · July 3, 2013, 4:17pm

Yes, that is correct. This particular behavior is the same for stateful and on-access. This is why I created this wish and this wish.

SanyaIV · July 3, 2013, 4:40pm

I voted but seeing how long ago the wishes were made and that nothing has been done so far, it makes one lose faith.
Being able to turn on CAV for trusted files is something that must be implemented in my opinion.

diesel779 · August 1, 2013, 7:15pm

Can someone tell me how to remove the trusted vendors list so it won’t be replaced on the next update please?

Chiron494 · August 1, 2013, 8:28pm

Which version of CIS do you have installed?

diesel779 · August 2, 2013, 4:21pm

On my laptop I have CIS premium version 6.2 on my desktop I have CIS pro 6.2.

Chiron494 · August 2, 2013, 6:19pm

Open the Advanced Settings. Then, under File Rating there is an option to “Tryst applications signed by trusted vendors”. If you uncheck this the TVL will be disabled.

diesel779 · August 2, 2013, 6:35pm

Thanks Chiron :-TU

Solarlynx · August 3, 2013, 1:39am

Shouldn’t one uncheck “Trust files installed by trusted installers” as well?

Chiron494 · August 3, 2013, 2:36am

I think that would be unrelated to whether the installer is signed or not. It just decides whether files spawned by the installer, assuming the installer was already trusted, would be automatically allowed or not.