Question About Signed Malware

Hello all

Lately i have been seeing a lot activity in underground forums or not so underground (ex ) about signed malware.

I have some questions

1.These malware will NOT get sandboxed because they are signed by a trusted vendor right?If virus signature detection doesnt catch them we are completly open?

2.How can we protect against these type of malware using cis.

Thank you for your time

  1. Yes.

  2. Turn off TVL.

Trusted vendor needs to be part of either local TVL or Cloud based TVL

Does anyone know the way they sign the malware as legit apps.Or suggest me some reading about this?I mean an application from microsoft could only be singed by microsoft right?If someone else signed it should come out as false.How they bypass that

Really, could someone explain the mechanism of signing?
Is signed infected file considered to be trusted or there some hash checking?

Does AV scans programs from trusted vendors?


Not even after Database update?

So let me see if I got this straight, if for example Opera gets (as they recently did) their signing thingy stolen and then someone signs malware with Opera’s signature, then even if the malware is in the AV databse it will not be detected because the malware is signed by a trusted vendor? So Opera signature must be removed from TVL for the malware to be detected?

Is this also the case if you change AV from stateful to on-access?

Yes, that is correct. This particular behavior is the same for stateful and on-access. This is why I created this wish and this wish.

I voted but seeing how long ago the wishes were made and that nothing has been done so far, it makes one lose faith.
Being able to turn on CAV for trusted files is something that must be implemented in my opinion.

Can someone tell me how to remove the trusted vendors list so it won’t be replaced on the next update please?

Which version of CIS do you have installed?

On my laptop I have CIS premium version 6.2 on my desktop I have CIS pro 6.2.

Open the Advanced Settings. Then, under File Rating there is an option to “Tryst applications signed by trusted vendors”. If you uncheck this the TVL will be disabled.

Thanks Chiron :-TU

Shouldn’t one uncheck “Trust files installed by trusted installers” as well?

I think that would be unrelated to whether the installer is signed or not. It just decides whether files spawned by the installer, assuming the installer was already trusted, would be automatically allowed or not.