Code Signing

Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. However, adversaries are known to use code signing certificates to masquerade malware and tools as legitimate binaries. The certificates used during an operation may be created, forged, or stolen by the adversary. Code signing certificates may be used to bypass security policies that require signed code to execute on a system. You can read more about this attacker technique and review an extensive list of examples at https://attack.mitre.org/wiki/Technique/T1116.

The Veramine platform associates the software publisher and code signing certificate metadata with all processes and binaries tracked. Several of the detection algorithms algorithms treat signed code as more trustworthy than unsigned code. However, we also allow users to decide the level of trust each company should be afforded. The Veramine sensors uploads a copy of each binary loaded by any process and those binaries are presented in the Veramine portal categorized by the company that has signed the binary. Within this "Binaries" view, each customer can make their own trust decisions to a certain extent. Some companies are "Globally Trusted" due to our assessment of their security practices in protecting their code signing infrastructure. Other companies can be chosen to be trusted. Doing so will provide clues to the Veramine detection engine and reduce the occurrences of false positive detections, particular in cases of anti-malware software. We always recommend that customers choose to trust their anti-malware vendor via the Binaries interface to reduce the number of alerts from suspicious-looking behavior that is common in the anti-malware industry.

Here is an example screenshot from the Binaries interface:

In this screenshot, you can see that the following companies are "Globally Trusted": Microsoft, Google, VMWare, Mozilla. A subset of Veramine detection algorithms will assign a lesser severity when triaging events initiated by software signed by these trusted publishers, except in cases of process injection. If an attacker were able to sign malicious code using a code signing certificate issued by a trusted root to one of those companies, we also would not apply some of our algorithms. We believe this to be an unlikely case and thus treat these companies as "Globally Trusted"

This screenshot also shows two companies marked as Trusted for only this Veramine customer and no others: Dropbox and Pingman Tools. Finally, two companies in this screenshot are marked as Untrusted: Cisco WebEx and Amazon Services. Software from these companies are treated as more trusted than Unsigned software but not as trusted as either a company that has been explicitly marked as trusted (such as Dropbox) or any of the companies assigned to be trusted by Veramine.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Code Signing

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally