MaxBlitzer, User (Posts: 63)
Oct 24, 2018 2:55:26 pm EDT
Conrad, Support (Posts: 2691)
Oct 24, 2018 3:30:33 pm EDT
MaxBlitzer, User (Posts: 63)
Oct 24, 2018 3:56:04 pm EDT
Was the Microsoft response an automated one (I'm sure) or possibly a human? Could you ask them about what impact an EV signed certificate does on AV scans? Because I don't see that as an automatic whitelist for AV vendors, just an additional safety check that the .exe you have is from the people you expected it from before executing it (ie, from Microsoft, not Micros0ft). If it was an automatic whitelist, then the cost to mass malware infections would be very cheap. Legit developers signed certs get stolen all the time and we find out days, weeks or months later something malicious got slipped in without someone knowing. An AV vendor that trusted a file on EV alone would be swiss cheese and not something people would really want to install.Conrad wrote:
Hello Max,
Just as I was writing this answer Microsoft informed us that they removed the detection and that one should update their definition files.
I perfectly understand what you say and agree completely. Unfortunately, there is little we can do because the antivirus software industry is in dismal state. How else can we characterize them if they cannot even distinguish a digitally signed file from an unsigned trojan-loaded one?
Just think about it - a file signed with an EV Code Signing Certificate coming from a legit developer gets detected as a trojan :) Well, of course not all a/v software is that bad though, but some are.
And there is this VirusTotal, which is another sad story. For almost three years we have been trying to convince them that not all antivirus software are created equal and that they should take a closer look at the quality of the a/v engines they use. Yet, they keep presenting their scan results alphabetically and in red type (even the relatively benign detections). So the never-responding-to-false-positive-requests Chinese antivirus by the name "AntiyAVL" (without VirusTotal you wouldn't even know that it exists) always gets at the top of the list with their bold red warning that Remote Utilities is unsafe :)
Conrad, Support (Posts: 2691)
Oct 24, 2018 4:18:40 pm EDT
This is the usual response that they send when they white list a file. But looks like a template, of course.Was the Microsoft response an automated one (I'm sure) or possibly a human?
It's not only a digital signature. We are also a registered developer with Microsoft.Because I don't see that as an automatic whitelist for AV vendors, just an additional safety check that the .exe you have is from the people you expected it from before executing it (ie, from Microsoft, not Micros0ft).
A compromised signature can get black listed within minutes. And Microsoft's SmartScreen as well as antivirus software are not supposed to let the files signed with such a signature run. Sure, there are must be other detection factors as well, I agree with that. But we still think that digital signatures are a bit underestimated.Legit developers signed certs get stolen all the time and we find out days, weeks or months later something malicious got slipped in without someone knowing.
But yeah, the big 6-10 vendors that will be installed by your customer base is main priority. I know from reading bleepingcomputer forums over the years, people tend to ignore the really obscure VirusTotal AV engines, but if one or more of the main vendors detects something, there is probably something to it.
* Website time zone: America/New_York (UTC -4)