Now, if Comodo trusts signed certificates, such as this one from Symantec in 2002, couldnt this lead to a possible infection where D+ doesnt popup and gives direct access to all the PC.
This may be the case in other signed executables that have malware on them due to a human mistake. So what should Comodo do about it? I mean for example the recent Delphi based infectors that had almost every package based on it infected?
Very few vendors (if any) should be trusted.
I really want to know how Defense+ manage the “trusted” files. By hash? By digital signatures?
For as far as I know, it trusts based on the Trusted Vendor List (TVL).
If it’s on there it can be treated Trusted.
There is also a whitelist, but that contains only verified apps hashes.
In pre v5/2011 versions the TVL was static and not easy to update, but in v5 they changed this to the cloud, then can now revoke a vendor from the TVL in cloud and CIS will update the local list, same for adding, if it finds a signed unknown it will do cloud lookup for TVL presence, and update accordingly.
For putting files on the “Trusted Files” list it uses Hashes now, in stead of path based detection in previous versions.
Wow… I can’t believe we’re trusting in paths… Glad it has changed in version 5.
what is path based detection? :-[
Files with certain name into a certain folder when marked as trusted, are allowed.
But that files could get infected/corrupted…
The hash detection checks if the file was infected/corrupted.
See this F-Secure article…
As nice as that article is…well…the images are virtually useless as they dont really provide any real or enough information on the signing of the excutable, so really asking if we trust them is a moot point as we have nothing really to go on except whether its been revoked or not…well in second image case at least, F-Secure should have done a better job with this article, give us images of each tab then let people test there skills or knowledge
Signing is easily broken and can be modified way to easy to trust in an offline enviroment…really need to check it against a copy on a server to improve its trustability so we can feel safer knowing it hasnt been tampered with or anything, but I say this in a simple context as signing really needs to be improved fullstop
Personally the safest way is to checking hashes (sha1 and up) on all files run, but there is a problem with that. Calculating hashes take waaay longer then it does to check a certificate. There are two options that I see coming down the line, one someone comes up with a certificate that is impossible or virtually impossible to break and someone comes up with a way to calculate long hashes at least 10 times the speed it can be done now. Now has calculations can be done faster on a faster pc. Maybe in the future windows and AV vendors can work together. That is windows starts keep a list of hashes that is active all the time and updated based what software is on the computer, so it has a hash number for every file on the PC. Then all the AV company has to do is go to that list and look it up, it would be much faster then having the AV do the calculations every time.