Hello
On a first launch and in Paranoid mode, we get a lot of events, mostly for Windows executable files.
I remarked all C:\Windows\System32 executable files are flagged as non-signed. For example AgentService.exe.
It is interesting to note that despite these files are seen by the File Explorer as non-signed, the Microsoft (SysInternals) tool SigCheck says they are signed.
I tend to trust SigCheck.
If you do too, it would be interesting for your software to check file signatures the same way.
That should lower insecurity feelings of being forced to approve hundreds of non-signed system files.
Unfortunately, it seems the source code of SigCheck has never been published, so I don’t know what makes the difference between this tool and the File Explorer.
Frankly, having to validate hundreds of non-signed files totally defeats the concept of manual evaluation.
How do I know if these files are safe ? After a moment, I tend to automatically say Yes to everything.
This is a major problem for such security tools.
This sounds like a bug. Could you provide some screenshots here or to our helpdesk, or to my name here privately? Please include the hash in the screenshot if possible. I am not seeing this myself, and I am not seeing it reported.
Hi Carl
The requested information with two examples:
-
SHA512 of sigcheck64.exe v2.90:
5e18de499382d4aa40792c2372c606bb1e10439fb9bc64bb3b7fc13555c3bce6d6ef5bdb55ab29edd0c4d4b5ad73875f1a352b0d9a027bf7ce2fbd9820685c42
-
SHA512 of AgentService.exe (Windows 11 64-bit Prof. French 23H2 build 22631.3737):
70166f5aeff82f2b3aa77942c24e2ecbdfbc95c0b34337171a23e4c7b99ac2aa7a4703aa4e76a25335ca81c72142290d15c6cdeb6c1bcc21408f2d087ab2e265
- SHA256: 2cc3956e207922c116541c64152cf6257f0e95db1787dedb12ab5cd77a67ee6d
- virus total report: VirusTotal
-
SHA512 of C:\Windows\System32\control.exe :
f480eb8c1a328311fd2e24ea6aff5723f11b9be1017b5d84edb848c09ef5201c35ac7d873073da7bec2e036cc89c8de26ae7608b2f7052970d516e23768a9964
- VirusTotal
- “File distributed by Microsoft”
- “File is not signed”.
- SigCheck on c:\windows\system32\control.exe:
Verified: Signed
Signing date: 23h38 2023-12-03
Publisher: Microsoft Windows
Company: Microsoft Corporation
Description: Windows Control Panel
Product: Microsoft® Windows® Operating System
Prod version: 10.0.22621.1
File version: 10.0.22621.1 (WinBuild.160101.0800)
MachineType: 64-bit
I downloaded SigCheck on MS website, last version 2.90.
(two images follow)
Chris
In short, neither SpyShelter, Virus Total nor the File Explorer see any digital signature on these files.
Neither detects any malware.
But SigCheck sees them as signed.
1 Like
A different case I just have seen: Office installer seen signed by the File Explorer but not by SpyShelter
SHA256:
06d27515262cf6e0564ecf392a2b55eccc215cb1bec2d56e60772cc3077086fd
@Chris61864
Is this a public download we can access? It would be great if we can get the installer. Thank you for your details to help us investigate this issue.
We were able to find the issue. A fix will be out in the next update. Thanks for your detailed report to help us find this problem.
2 Likes
Thank you for your quick reaction.
Have a nice day.
