Ways Antivirus companies could prevent a false positive catastrophe

[+Warwagon MVC]

I was sitting here thinking of ways an AV companies could prevent a false positive catastrophe.

 

If a virus patches a legit system file, the files  digital signature becomes invalid. Why couldn't an AV leave any file that has a valid digital signature by Microsoft alone? Couldn't an AV also compare the SHA 256 hash of a critical Windows System file that hasn't been signed by Microsoft SHA1 Hash to a hash  in a database of legit system file hashes? 

 

It would check it via the cloud in the event its definition file gave the order to nuke a windows system file.

 

Just a few thoughts.

[Digitalfox]

If a virus patches a legit system file does the file remained signed by Microsoft?

 

Good question! If a signed file by Microsoft is in anyway altered, does it remain with a valid signature?  Anyone knows?

[JustGeorge]

I don't think they do as that would defeat the purpose of a signed file. Couldn't you simply open up a signed MS file with a HEX Editor and flip a bit to see?

[Mr. Gibs]

I was sitting here thinking of ways an AV company could prevent a false positive catastrophe.

 

If a virus patches a legit system file does the file remained signed by Microsoft? If not, why couldn't an AV leave any file that is signed by Microsoft alone. If an infected system file does it remained signed, could the AV compare its SHA1 Hash to that in a database of system file hashes, that it would check via the cloud before it nukes a windows system file? It would use that has not in it's scanner, but as a double checker as it gets ready to nuke it. Sort of a false positive detector.

 

Just a few thoughts.

Why would it matter? With Windows 7 and 8/8.1 you can't just go into system32 and delete most random files without manually taking ownership of them. They're usually marked read/execute only to anything below system / trustedinstaller. Granted not all files have those permissions but it would be far easier (for MS) to mark them all as such.

On top of that not every file is digitally signed, only about 600 are out of couple thousand or so.

[Digitalfox]

I don't think they do as that would defeat the purpose of a signed file. Couldn't you simply open up a signed MS file with a HEX Editor and flip a bit to see?

 

I just did, I changed explorer.exe (made a copy to desktop of-course ) some hex numbers from 00 to FF, saved and it's still signed :\

 

Am I missing something?

[+Warwagon MVC]

I just did, I changed explorer.exe (made a copy to desktop of-course ) some hex numbers from 00 to FF, saved and it's still signed :\

 

Am I missing something?

 

Correct. Now do an MD5 or SHA1 hash comparison between the 2

 

http://www.nirsoft.net/utils/hash_my_files.html

 

SHA-1 = 9629AB77336DE0A153619568BAD87EF8E2AB7167 ?

[Digitalfox]

SHA1

 

Original: 1a33a4201fc1b93c2f595654067f8b82b7a7288a

 

Modified: 2e2c4c804006c3029444eb4680076b0542e4fb44

[vanx]

Instead of treating the symptom, treat the root cause: run each AV update on a set of VMs and release only if all tests are successful.

 

And SHA-256 should be used if we are going to go down the road of hash comparisons...

[+Warwagon MVC]

SHA1

 

Original: 1a33a4201fc1b93c2f595654067f8b82b7a7288a

 

Modified: 2e2c4c804006c3029444eb4680076b0542e4fb44

 

Which version of Windows was that explorer from?

 

Instead of treating the symptom, treat the root cause: run each AV update on a set of VMs and release only if all tests are successful.

 

And SHA-256 should be used if we are going to go down the road of hash comparisons...

 

Correct. I'm just saying it the only time it would be used is as a triple check in the event it wants to delete a system file.

[Digitalfox]

Which version of Windows was that explorer from?

 

Windows 8.1 64bit EN Pro. (Explorer Modified by update 29? October? 2014)

[+Warwagon MVC]

Windows 8.1 64bit EN Pro. (Explorer Modified by update 29? October? 2014)

 

have you done the latest updates?

 

Mine show a modified date of March 10th at 12:03pm .. which is when I did windows update.

[Romero]

<snip>

[Digitalfox]

have you done the latest updates?

 

Mine show a modified date of March 10th at 12:03pm .. which is when I did windows update.

 

Nope on this machine I haven't run Windows Update this week

[+Warwagon MVC]

Its too bad Microsoft Doesn't have a hash server that has hashes for every version of every system file.

 

I'm pretty sure if this sort of thing was in place the recent panda catastrophe or the one where Mcafee bricked millions of Installs years back, wouldn't have happened. Or at least more people could have run the tool because their systems would have actually been able to boot.

 

Panda would have went to delete one of the Windows system files that it's new definition update told it to, it would have said to itself.

 

"Before I delete this critical windows system file let me be really really sure by checking it's hash against the hash a clean version to see if this file isn't actually a safe file." (it checks) "Oops ... this file is actually safe and legit after all" ... and it doesn't delete it.

[Newinko]

I just did, I changed explorer.exe (made a copy to desktop of-course ) some hex numbers from 00 to FF, saved and it's still signed :\

 

Am I missing something?

 

Yes: you're checking if a file signature is present, not if it is valid. If you tamper with a signed file, it will remained signed, but the digital signature won't match. Make sure you click "Details" to see if a digital signature is valid or not.

 

Its too bad Microsoft Doesn't have a hash server that has hashes for every version of every system file.

 

I'm pretty sure if this sort of thing was in place the recent panda catastrophe or the one where Mcafee bricked millions of Installs years back, wouldn't have happened. Or at least more people could have run the tool because their systems would have actually been able to boot.

 

Panda would have went to delete one of the Windows system files that it's new definition update told it to, it would have said to itself.

 

"Before I delete this critical windows system file let me be really really sure by checking it's hash against the hash a clean version to see if this file isn't actually a safe file." (it checks) "Oops ... this file is actually safe and legit after all" ... and it doesn't delete it.

 

 

That is down to cruddy anti-virus programming. All Windows system files are signed and have been since Windows Vista.

 

The strategy for an anti-virus to check for a system file signature is a good one. That is why good anti-virus programs do just that (Kasperky for instance).

[+Warwagon MVC]

 

Yes: you're checking if a file signature is present, not if it is valid. If you tamper with a signed file, it will remained signed, but the digital signature won't match. Make sure you click "Details" to see if a digital signature is valid or not.

 

 

 

 

That is down to cruddy anti-virus programming. All Windows system files are signed and have been since Windows Vista.

 

The strategy for an anti-virus to check for a system file signature is a good one. That is why good anti-virus programs do just that (Kasperky for instance).

 

Yes but as demonstrated above, if you change a bit or patch the file, it's still signed.

[Newinko]

Yes but as demonstrated above, if you change a bit or patch the file, it's still signed.

It is signed but that's semantics: the signature is tampered, which means the signature doesn't check out, and the system displays it as "signed, signature not valid."

 

If a file is tampered with, the signature doesn't disappear: the file is still signed, but it is a forged signature if you will. Windows checks if a file is signed, then if it is, it checks if the signature is valid. If the signature isn't valid, then the file has been tampered with.

 

Digitalfox can check if the signature of his modified explorer.exe is valid by clicking "Details" in the Properties window. I guarantee you it won't be.

 

Windows checks for signature validity in many cases, such as when launching a program as Administrator. If you run the newly modified explorer.exe as Admin, you won't get the regular UAC but the yellow "Signature unknown" warning.

 

EDIT: also of interest is that Microsoft has been signing files since Vista: although some viruses have used valid signatures to "digitally sign" nefarious drivers (often from device drivers makers with a malicious employee or ex-employee), as far as I can tell, the "Microsoft Windows" signature has never been compromised.

[Mr. Gibs]

That is down to cruddy anti-virus programming. All Windows system files are signed and have been since Windows Vista.

Er no they are not.

Only about 600 of the thousands of the files in the windows and system32 folders are signed and most of those are drivers with a few critical files.

[Newinko]

Er no they are not.

Only about 600 of the thousands of the files in the windows and system32 folders are signed and most of those are drivers with a few critical files.

 

Critical files, yes, including essential DLLs and most programs. This greatly decreases the area of attack. For instance, many viruses love to mimic themselves as "svchost.exe" for instance, but the real svchost.exe Windows program is signed.

 

Most other system DLL files that aren't signed are considered less essential and are protected by Windows Resource Protection. WRP is tricky to bypass.

[+Warwagon MVC]

Critical files, yes, including essential DLLs and most programs. Many viruses love to mimic themselves as "svchost.exe" for instance, but the Windows program is signed.

 

Most other system DLL files that aren't signed are considered less essential and are protected by Windows Resource Protection. WRP is tricky to bypass.

 

Ya, I just hope the files required for Windows to boot are signed. Because like you say if you can get the system booted then The Windows resource protection can kick in. As far as signed drivers, I think it was realtek or how ever you spell it who's certificate got loose one time and people were signing drivers with.

[Newinko]

Ya, I just hope the files required for Windows to boot are signed. Because like you say if you can get the system booted then The Windows resource protection can kick in. As far as signed drivers, I think it was realtek or how ever you spell it who's certificate got loose one time and people were signing drivers with.

Obviously if a virus has offline access to a system it is somewhat game over. But Microsoft uses a combination of techniques to make sure offline tampering is made harder (most essential files are signed, on 64-bit system drivers must be signed, and Secure Boot on systems that support it).

[Mr. Gibs]

Critical files, yes, including essential DLLs and most programs. Many viruses love to mimic themselves as "svchost.exe" for instance, but the Windows program is signed.

Yes but you said "all windows files" are digitally signed which is false. The vast vast majority of them aren't signed and have never been signed.

You are right that most other files are protected by permission levels that don't allow anything below system and/or trustedinstaller to modify them. However you can take ownership of a huge number of files and delete / modify them with ease.

 

on 64-bit systems drivers must be signed, and Secure Boot on systems that support it).

Um no they don't.

You can easily disable driver signature verification and secure boot is also easily disabled in the BIOS. MS wanted to make it impossible to disable secure boot and boot Windows but users started complaining that they're trying to lock out linux and so MS caved.

There are also other ways around driver signature verification. You can modify the driver and as long as it is signed Windows will allow it to install just with a warning that the driver was from an unknown source and ask if you want to proceed. Another way around it is just to buy your own certificate, you can get them for under $200 a year. The driver signing requirement is at best a very poor protection and really one that causes more annoyances than protection.

[+Warwagon MVC]

Yes but you said "all windows files" are digitally signed which is false. The vast vast majority of them aren't signed and have never been signed.

You are right that most other files are protected by permission levels that don't allow anything below system and/or trustedinstaller to modify them. However you can take ownership of a huge number of files and delete / modify them with ease.

 

I wonder why Microsoft doesn't sign all the files.

[Ian W]

Warwagon, I know that this is not necessarily related, but your topic reminds me of this little quote from Microsoft's NGSCB FAQ.

However, the NGSCB architecture does provide features that can be used by an antivirus program to help guarantee that it has not been corrupted. The antivirus software can be grounded in such a way that it can bootstrap itself into a protected execution state, something it cannot do today.

[Newinko]

Yes but you said "all windows files" are digitally signed which is false. The vast vast majority of them aren't signed and have never been signed.

You are right that most other files are protected by permission levels that don't allow anything below system and/or trustedinstaller to modify them. However you can take ownership of a huge number of files and delete / modify them with ease.

I stated system files, and that includes DLLs and EXEs, though not all of them. I'm not sure what kind of point you're trying to make. Should I have comprehensively stated "files that are essential to the system as well as files that are often attacked" to satisfy you?

 

You can, but programmatically taking ownership of files that are owned by TrustedInstaller is not made easy. This would at the very least require Administrator privileges. If a virus gains Administrator privilege, then you have a problem.