Can digitally signed files be malware?

book

Article ID: 159120

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

While investigating an infection, the SymDiag diagnostic Threat Analysis Scan (load point analysis) indicates that a certain file may be suspicious.  However, this is a file which has been digitally signed with a certificate.

Can it be assumed from the digital signature that this file is innocent?

Resolution

The presence of a digital signature is not a guarantee that any file is safe!  Symantec has antivirus detections for many signed files.  

The presence of a digital signature is typically a good sign: the file can be usually verified to have come from a particular source.  However, there have been numerous cases where purely-malicious malware has been digitally signed.  Some of these have been signed with stolen certificates or with self-signed digital certificates that fail verification checks to a certificate authority.

It is also common for some greyware (Potentially Unwanted Applications) vendors to digitally sign their products.  These files can be confirmed to have come from their vendors- it is just that the applications are typically potentially unwanted products of limited benefit, especially in an Enterprise environment.

All About Grayware
https://www-secure.symantec.com/connect/articles/all-about-grayware

Symantec will detect these digitally-signed grayware .exe files and .dll files if they are submitted to Security Response for analysis and found to meet our criteria. SEP security administrators can choose how SEP will react to PUAs (detect/log/ignore).

While digitially signing files helps confirm a file's provenence, legitimate software vendors who digitially sign their files may still see Reputation-based detections (detection for new or unknown files or files with poor Reputation) against their products.  If this occurs, the vendors may wish to participate in Symantec's Whitelisting program, where the software is examined by Symantec to confirm its safety prior to its public release.

Adding software to the Symantec Whitelist
http://www.symantec.com/docs/TECH132220

 

An interesting online resource compiled by researchers, http://signedmalware.org/ lists compromised code signing certificates.