19

I have to buy a code-signing certificate, for signing Win32 applications, and I was considering whether to pick an EV one.

The advantages of EV certificates I was able to find are:

  1. Immediate Smartscreen reputation establisment (instead of waiting for 3k downloads? [source] )

  2. Maintainance of Smartscreen reputation across certificate renewals [source] (probably a moot point if point 1 applies anyway)

  3. Option for delivery on a hardware token, often not available for normal certificates

I wonder if they bring other advantages, for example if applications signed with them are more trusted than applications signed with non-EV certificates by antivirus, firewalls and other security applications (they get less blocked, provoke more favourable warnings, etc.).

I restate the case I'm most interested in: are you aware of differences in treatment by some specific antivirus/firewall/security application of applications signed with EV certificates, vs. applications signed with standard certificates?

gbr
  • 1,174
  • 7
  • 26

2 Answers2

4

Disclosure: I work for an AV vendor.

I wonder if they bring other advantages, for example if applications signed with them are more trusted than applications signed with non-EV certificates by antivirus, firewalls and other security applications

This depends on the vendor making the security application, or their current(*) policy. Both security vendors I have worked for ignored the presence of the certificate when scanning for malware. There are several reasons for this:

  • Just because the code is signed doesn't mean it is not malicious. It only means it has not been modified after it has been signed. For example, a relatively large number of adware applications is signed.

  • Malware writes have used stolen certificates in past, and thus we cannot be truly sure it was used by the original author. This is why I mentioned "current policy" above, as this could change overnight.

  • Verifying a certificate is a complex and relatively slow process which requires reading the whole file from disk - an expensive operation for a non-SSD storage. It also requires performing some public key cryptography operations which are CPU-intensive. Thus for some large executable files checking the certificate might take longer than scanning the file for malware.

And since we generally don't look at certificate at all, it doesn't matter whether it is standard or EV.

George Y.
  • 10,140
  • 3
  • 18
  • 24
  • Interesting information. So you are saying there is almost zero benefit in a code signing cert as far as anti virus false positives etc go? – rolls Jul 13 '18 at 03:29
  • 1
    Yes, there are almost zero benefits. – George Y. Jul 15 '18 at 02:15
  • This is very embarassing. I somehow missed this and then completely forgotten about it. I remember the chat we had, I think something happened at that time and I was unable to access stackoverflow for several days. I deeply apologize. On the upside, it's not been a year yet :/ . – gbr Oct 04 '18 at 13:20
  • Than you very much for your contribution. It's very interesting to hear that at least the vendors you worked for ignored the certificates. – gbr Oct 04 '18 at 13:21
  • While it's entirely understandable to not look at the certificates every time you check an executable, though, it would seem quite feasible to do it for the few ones that get detected as dangerous (after such detection). Of course the signature is not a guarantee, but it is a hint that a file could be given *a little* more trust when you're not completely sure that it's malware (e.g. by displaying a less alarmist warning); so, letting aside the EV aspect, I would be surprised if even the normal certificates were really not used for anything by any security vendor. – gbr Oct 04 '18 at 13:21
  • Hi @GeorgeY., I have an entirely different experience (see my post below). This doesn't mean that you're wrong of course. Many factors can be involved (eg. the Antivirus Software company policies, ...). Can you please have a look at my post and share your opinion? – K.Mulier Jan 08 '21 at 13:44
  • @GeorgeY. Has this changed since you posted your answer, or is this still up to date in 2021? – emkey08 Mar 03 '21 at 09:41
  • Yes and no. As of 2021, some vendors now check the code signing certificates, for example, to detect known adware or PUA. Much rarer they do so to whitelist known good apps (there are too many certificates). However still no vendor I know gives any extra weight for the certificate being EV. Note that for large hacking groups, not to mention the nation-state actors, getting even an EV certificate is something they can do really easy. – George Y. Mar 17 '21 at 23:58
0

I have a different experience than @George Y. Our Code Signing EV-Certificate from Sectigo did help to avoid false positives in Norton 360. I don't know about other Antivirus software - to be tested.

Note:
My different experience from @George Y. doesn't imply that he is wrong. The difference can be due to many factors, such as Antivirus Software Company policies, ...
Also, my experience is based on positive results I get today from the code signing. More tests in the future (and experiences from our users) will prove if these positive results were temporary or permanent.

1. Before code signing

Before the code signature, our users got warnings like this:

Even worse, Norton 360 would simply remove a lot of executables and .pyd files automatically - thereby breaking our software completely:

It was a complete disaster.

2. After code signing

Today, I signed our application for the first time with our new EV-Certificate. I signed not only the .exe files, but also the .dll, .so and .pyd files. When signing these files, I first check if they already have a signature, to avoid double signing .dll files from third party opensource binaries that we include in our build. Here is my Python script that automates this procedure:

import os, subprocess

# 'exefiles' is a Python list of filepaths
# to .exe, .dll, .so and .pyd files. Each
# filepath in this list is an absolute path
# with forward slashes.
quote = '"'
for f in exefiles:
    cmd = f"signtool verify /pa {quote}{f}{quote}"
    result = subprocess.run(
        cmd,
        stdin    = subprocess.DEVNULL,
        stdout   = subprocess.PIPE,
        stderr   = subprocess.PIPE,
        cwd      = os.getcwd(),
        encoding = 'utf-8',
    )
    if result.returncode:
        # Verification failed, so the file is not yet signed
        cmd = f"signtool sign /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /a {quote}{f}{quote}"
        result = subprocess.run(
            cmd,
            stdin    = subprocess.DEVNULL,
            stdout   = subprocess.PIPE,
            stderr   = subprocess.PIPE,
            cwd      = os.getcwd(),
            encoding = 'utf-8',
        )
        if result.returncode:
            # Code signing failed!
            print(f"Sign: '{f.split('/')[-1]}' failed")
        else:
            # Code signing succeeded
            print(f"Sign: '{f.split('/')[-1]}'")
    else:
        # Verification succeeded, so the file was already signed
        print(f"Already signed: '{f.split('/')[-1]}'")

The results are promising so far. Windows SmartScreen no longer generates warnings. Norton 360 neither. I've tried on both my laptop and a desktop with a clean Norton 360 install - both of them trust the application (unlike before the code signature).

Fingers crossed it will stay this way. Let's also hope other Antivirus software will trust our application.

Note:
As of writing this post, our signed application is only available for testers on https://new.embeetle.com
It will be available soon on our public website https://embeetle.com as well - but not yet today.

K.Mulier
  • 6,430
  • 9
  • 58
  • 110
  • As I have said right on top of my post, this depends on the software vendor. Have you also tried a non-EV certificate? A vendor may treat signed vs non-signed binaries differently, and care less whether the certificate is EV or not. – George Y. Feb 19 '21 at 00:05
  • @K.Mulier Just to be clear, does your step "1. Before code signing" refer to an exe file without any certificate at all, or did it refer to an exe file with a standard (non-EV) certificate? – emkey08 Mar 03 '21 at 09:32
  • Step 1 refers to an exe file without any certificate at all. Sorry for the confusion. – K.Mulier Mar 05 '21 at 13:36