1

If I sign an executable with an authenticode certificate will any A/V stop flagging it as a virus?

Marsh
  • 13
  • 2

1 Answers1

1

Authenticode will most likely help to bypass human check, as the victim has more chance to accept the execution of an application flagged as coming from a reputable source.

Anti-virus themselves, while they may take this into account, rely on multiple criterion to detect malware and authenticode will at most be only one criteria among the others.

What an anti-virus do is calculate a score based on these multiple criterion (executable file content, behavior, etc.). It is possible that a software gets a bonus point when it is certified, but if at the other side its behavior is considered malicious it will get flagged as malware anyway.

Microsoft gives a few high-level details on how they use Authenticode in their own security suite, Microsoft Security Essential (emphasis is mine):

When Microsoft Security Essentials first encounters a file, it performs a malware scan using all the technologies it needs to determine if the file is malicious. If the file is not malicious (which is hopefully the case), there's a background check that happens later, using idle cycles to see if the file's Authenticode signature or hash matches an internal list of trusted publishers and known clean files. If the file is on the list, it will be skipped in future scans, either on access or on demand.

Next, Microsoft Security Essentials uses its internal reputation lists to control what information on unknown files it sends back to Microsoft, or what files it may ask users to submit to Microsoft for further analysis. Under the hood is a sophisticated runtime behavior-monitoring system, which looks for software acting suspiciously, like modifying an autorun.inf file to AutoPlay. [...] Because of the need for speed and the fact that legitimate software will sometimes share behaviors with malware, that system will use the reputation lists to bypass files based on reputation.

Authenticode signing is key because it aggregates reputation for all your files, and applies your reputation to brand new files as well. [...] Authenticode signing doesn't explicitly say anything about the safety of the signed code, as we in the MMPC know well, but it's invaluable for determining reputation and separating legitimate code from known publishers from potentially dangerous code.

According to this post in their case they act in three step:

  • First check the file content and behavior using traditional AV means.
  • If nothing suspicious have been found, allow the file for now and schedule a check of the Authenticode for later.
  • If the Authenticode check reveals that the file has been signed by a trusted source (the post doesn't explain what is considered a "trusted" source and I guess Microsoft will not reveal the exact criterion to prevent abuse), Microsoft Security Essential completely stops checking this file and allow it on a systematic basis.

This related question has interesting answers regarding how anti-virus software work: How do antiviruses scan for thousands of malware signatures in a short time?, and this other question deals with the other side of the story: Techniques for Anti Virus evasion.

Community
  • 1
WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
  • this is kind of what i've been hearing. It may, could, possibly, maybe help. So I'm guessing it depends on the a/v on if it will certainly work, that sound about right? – Marsh Jul 18 '17 at 17:41
  • @Marsh: Yes, each AV have their own secret recipes to detect malware and what works against one may not work against another (hence the value of knowing the exact antivirus software used by the target when AV evasion is needed). Nevertheless, I've updated my answer with more details on how Microsoft uses Authenticode in their own *Microsoft Security Essential* software. – WhiteWinterWolf Jul 19 '17 at 09:07