Jump to content

No digital signature on Internet Security installer V7.0.0.18


Recommended Posts

Using Win XP Pro SP3

 

Earlier today I downloaded the installer for your Internet Security product, from the link on that product's page that's near the foot of the page desribing it as the Trial+Full version (ie from download4.emsisoft.com).  I used Firefox V19.0.2 to do the download.  After the file was here I used Windows Explorer -> Properties to 'unblock' it, then scanned it with ESET NOD32 which reported that 'an archive was corrupt'.

 

I cleared Firefox's history, cache etc, and downloaded the file again.   I've not yet scanned the second file with ESET.

 

I read in another post here - http://support.emsisoft.com/topic/10770-cant-install-anti-malware/ - that a downloaded installer should display Emsisoft etc in its digital signature when viewed on the Digital Signatures tab of Windows Explorer's Properties.   Neither of the downloaded files have a Digital Signatures tab when looked at with Windows Explorer.

 

The files are binary identical according to ExamDiffPro and their size is: 262,990,216 bytes.  

 

File hashes (which I calculated using two separate hashing apps, which agree about the answers) are:

 

  MD5:       1AD080C829E1FDA7C510EF299DA291C1


  SHA1:      3C3CAF12A5CA59C2F5F70DEAE1820EEDEBE8B59C


  SHA256:   5857D7F1184611D6BC1CE6817435BA1CC0735EB61AB935ADEE4E6BF28F1D1DCD


  SHA512:   E895E37F8E3832FC6A070A91E8A2F75469E225FBEB675F9E31390E354C091CDB8036013C3189AA072DE624515ACDEF7D8786FF4D43708127CF52B07CB04D0B33  

 

 

 

 

I just tried using IE8 to download teh same file.  This time I get a different size:  263,639,648 bytes    but still no digital signature.

 

 

What do I do now?

 

Link to post
Share on other sites

JeremyNicoll,

I just checked the mentioned file from downloadserver 4;

Size 263,639,648 bytes
MD5: F1098B85E34617C34D2B62C3A65E9D06
SHA-256: 78FDC24CD9A7D3D3CBA48D50D19F15A835D14A76CC7648B8630DB940FEB7CAC7

And it's a digitally signed file, signed march 8, 2013.

I've seen a missing digital signature tab on my XP machine in the file properties window a while ago. Well, i didn't see that digital signature tab while it should be there... ;) 
When i checked the exact same file (i didn't move it) in Windows 7 the digital signature tab was there.

Some more info about the missing digital signature tab in XP can be found here: http://support.microsoft.com/kb/922225 



 

Link to post
Share on other sites

Thanks for your reply.  Last night I read that KB article (which surprisingly is for XP SP2 - I googled but couldn't find an SP3 version and one might have hoped that SP3 would have fixed it).  It suggests use of a tool named ChkTrust.exe with more info at: http://msdn2.microsoft.com/en-us/library/z045761b.aspx    That page in turn says that the ChkTrust.exe tool is shipped with the .NET framework SDK V1.0 and V1.1 (I doubt very much I have that SDK installed) but says there's another tool - 'signtool.exe' shipped with later versions.  It's described at: http://msdn.microsoft.com/en-us/library/8s9b9yaz.aspx - where it says the tool is installed with Visual Studio, or the Windows SDK.   And by a miracle I do have the Windows SDK installed on one of my machines.  So I experimented just enough to see that I could make that tool run ok.

 

This morning I transferred via a USB stick copies of all three download files, none of which show a digital signature in Windows Explorer, to the machine which has the SDK on it.  Just to remind anyone reading this, that is two copies of the installer downloaded using Firefox V19.0.2, both of size: 262,990,216   and one downloaded using IE8, of size:  263,639,648.

 

I rechecked the hashes of all three copied files against originals on the machine they'd been downloaded on - they were the same.  The two files downloaded by Firefox are identical, as one would hope!  The one downloaded by IE has the size and hashes that you quoted in your reply.  So on the face of it, the file I downloaded with IE is ok.  I used the signtool.exe program - hopefully correctly - and it says that all three files are properly signed and Emsisoft's certificate is in the chain of certificates (if I understand correctly)... so that's good.  But why are the files of different sizes?

 

Well signtool showed a difference between them (apart from size and hash) - these appear to be two different files signed on different days, and yet you presumably think there's only the one original file on your download server.   I'm wondering if I really did download the files from the same server each time - even though the URL mentioned download4 each time.    Or is it possible that one would get a different file depending on whether one downloads with Firefox or IE?

 

Going back to signtool...  the first command I tried was essentially:   signtool verify "my file name"    and that produced an error message:

 

SignTool Error: The signing certificate is not valid for the requested usage.
        This error sometimes means that you are using the wrong verification
        policy. Consider using the /pa option.                               
 

So I then tried /pa, that is: signtool verify /pa "my file name"     which resulted in a one-line "successfully verified" message.   Then I went on to add the /v flag to get verbose output.   Here's what I get for one of the files downloaded by Firefox:

 

C:\Program Files\Microsoft SDKs\Windows\v7.1>signtool verify /pa /v "C:\Documents and Settings\Laptop\My Documents\Downl
oads\20130308 1542 dload on DL650 by FF of EmsisoftInternetSecuritySetup V7-0-0-18.exe"

Verifying: C:\Documents and Settings\Laptop\My Documents\Downloads\20130308 1542 dload on DL650 by FF of EmsisoftInterne
tSecuritySetup V7-0-0-18.exe
Hash of file (sha1): 7C934AB82EB8F4CCEF946438BFFC8C25330A2929

Signing Certificate Chain:
    Issued to: DigiCert High Assurance EV Root CA
    Issued by: DigiCert High Assurance EV Root CA
    Expires:   Mon Nov 10 00:00:00 2031
    SHA1 hash: 5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25

        Issued to: DigiCert High Assurance Code Signing CA-1
        Issued by: DigiCert High Assurance EV Root CA
        Expires:   Tue Feb 10 12:00:00 2026
        SHA1 hash: 7F82DC9C382FD176924B6088FB27D8EAF9F7873A

            Issued to: Emsisoft GmbH
            Issued by: DigiCert High Assurance Code Signing CA-1
            Expires:   Tue Jun 16 12:00:00 2015
            SHA1 hash: D3CC33CA288846F50ECAAF7674C7AEE08EFE106B

The signature is timestamped: Thu Mar 07 17:08:45 2013
Timestamp Verified by:
    Issued to: DigiCert Assured ID Root CA
    Issued by: DigiCert Assured ID Root CA
    Expires:   Mon Nov 10 00:00:00 2031
    SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

        Issued to: DigiCert Assured ID CA-1
        Issued by: DigiCert Assured ID Root CA
        Expires:   Wed Nov 10 00:00:00 2021
        SHA1 hash: 19A09B5A36F4DD99727DF783C17A51231A56C117

            Issued to: DigiCert Timestamp Responder
            Issued by: DigiCert Assured ID CA-1
            Expires:   Thu Apr 18 00:00:00 2013
            SHA1 hash: 51AEC7BA27E71A65D36BE1125B6909EE031119AC

Successfully verified: C:\Documents and Settings\Laptop\My Documents\Downloads\20130308 1542 dload on DL650 by FF of Ems
isoftInternetSecuritySetup V7-0-0-18.exe

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

C:\Program Files\Microsoft SDKs\Windows\v7.1>

 

 

and here's the result for the file downloaded by IE:

 

C:\Program Files\Microsoft SDKs\Windows\v7.1>signtool verify /pa /v "C:\Documents and Settings\Laptop\My Documents\Downl
oads\20130308 1828 dload on DL650 by IE of EmsisoftInternetSecuritySetup V7-0-0-18.exe"

Verifying: C:\Documents and Settings\Laptop\My Documents\Downloads\20130308 1828 dload on DL650 by IE of EmsisoftInterne
tSecuritySetup V7-0-0-18.exe
Hash of file (sha1): 657C1B4D6BD7AB5925F7C00FF7740ECDDF6CC4DD

Signing Certificate Chain:
    Issued to: DigiCert High Assurance EV Root CA
    Issued by: DigiCert High Assurance EV Root CA
    Expires:   Mon Nov 10 00:00:00 2031
    SHA1 hash: 5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25

        Issued to: DigiCert High Assurance Code Signing CA-1
        Issued by: DigiCert High Assurance EV Root CA
        Expires:   Tue Feb 10 12:00:00 2026
        SHA1 hash: 7F82DC9C382FD176924B6088FB27D8EAF9F7873A

            Issued to: Emsisoft GmbH
            Issued by: DigiCert High Assurance Code Signing CA-1
            Expires:   Tue Jun 16 12:00:00 2015
            SHA1 hash: D3CC33CA288846F50ECAAF7674C7AEE08EFE106B

The signature is timestamped: Fri Mar 08 17:09:54 2013
Timestamp Verified by:
    Issued to: DigiCert Assured ID Root CA
    Issued by: DigiCert Assured ID Root CA
    Expires:   Mon Nov 10 00:00:00 2031
    SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

        Issued to: DigiCert Assured ID CA-1
        Issued by: DigiCert Assured ID Root CA
        Expires:   Wed Nov 10 00:00:00 2021
        SHA1 hash: 19A09B5A36F4DD99727DF783C17A51231A56C117

            Issued to: DigiCert Timestamp Responder
            Issued by: DigiCert Assured ID CA-1
            Expires:   Thu Apr 18 00:00:00 2013
            SHA1 hash: 51AEC7BA27E71A65D36BE1125B6909EE031119AC

Successfully verified: C:\Documents and Settings\Laptop\My Documents\Downloads\20130308 1828 dload on DL650 by IE of Ems
isoftInternetSecuritySetup V7-0-0-18.exe

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

C:\Program Files\Microsoft SDKs\Windows\v7.1>

 

 

 

As you can see these files were signed on different days.  The file downloaded by Firefox had:

 

   The signature is timestamped: Thu Mar 07 17:08:45 2013

 

whereas the one downloaded by IE had:

 

   The signature is timestamped: Fri Mar 08 17:09:54 2013

 

 

 

So... I have two questions:

 

a) why are these different files with different sizes, signed on different dates?

 

b) do I need to pay any attention to the ESET NOD32 scan result (for the first file I downloaded with Firefox):

 

Scan Log
Version of virus signature database: 8095 (20130308)
Date: 08/03/2013  Time: 16:01:51
Scanned disks, folders and files: C:\Documents and Settings\Administrator\My Documents\Downloads\20130308 1542 EmsisoftInternetSecuritySetup V7-0-0-18.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\20130308 1542 EmsisoftInternetSecuritySetup V7-0-0-18.exe » INNO »  - archive damaged
Number of scanned objects: 1746
Number of threats found: 0
Time of completion: 16:05:29  Total scanning time: 218 sec (00:03:38)

 

I don't know what the significance of the "archive damaged" part of that log is.  Does it just mean that some part of the installer couldn't be unpacked by NOD32?

Is the number of scanned objects (which were all ok) match what you'd expect to be in this file?  

 

 


 

Link to post
Share on other sites

Oh - something else I just noticed.  The signtool output lists near the start a pair of lines like:

 

Verifying: C:\Documents and Settings\Laptop\My Documents\Downloads\20130308 1542 dload on DL650 by FF of EmsisoftInterne
tSecuritySetup V7-0-0-18.exe
Hash of file (sha1): 7C934AB82EB8F4CCEF946438BFFC8C25330A2929

 

and

 

Verifying: C:\Documents and Settings\Laptop\My Documents\Downloads\20130308 1828 dload on DL650 by IE of EmsisoftInterne
tSecuritySetup V7-0-0-18.exe
Hash of file (sha1): 657C1B4D6BD7AB5925F7C00FF7740ECDDF6CC4DD

 

 

These hashes do not match any of those I've seen for the whole files.  Does this matter?  I think what signtool might be saying is that these values are the hashes of the parts of the files which needed to be signed, though the whole file will contain that data plus the signature itself?   If so, then the hashes I created were of the whole file and would therefore of course be different.  Would that be right?

Link to post
Share on other sites

JeremyNicoll,

The setup files for Emsisoft Anti-Malware and Internet Security are replaced with newer ones every day. This way the setup files contain the latest malware signatures. With Firefox you got the setup from march 7, with IE you got the setup file from march 8. 
In 4 or 4,5 hours the march 9 setup file is on the downloadservers.

When the digital signature is valid, the file is original No idea why NOD32 detects a damaged archive.
Try Sigcheck from Mark Russinovich (Microsoft). That tool shows all you need to know.



The Emsisoft Internet Security Pack setup file contains the Emsisoft Anti-Malware installer and the Online Armor installer. If you don't trust the EISP setup file because XP doesn't show the digital signatures tab for this file, you can always download and install Emsisoft Anti-Malware and Online Armor separately. Those files are smaller and XP should show the digital signatures tab for these files on your system.

Link to post
Share on other sites

Ah, I see.  I didn't realise the installer had malware signatures inside it.  Now it makes perfect sense.  I was in any case just being careful; the ESET NOD32 'damage' message had made me wonder if I'd not received a complete download.  Later getting different sized files, I wasn't so much failing to trust Emsisoft (after all if I don't trust you I shouldn't plan to use your products); it was more that I was wondering if I had a problem with Firefox.

 

As for digital signing, this is the first product I've ever downloaded where I've looked at a digital signature, though I have for years checked MD5 or SHA-nnn hashes wherever a website has provided them.  Indeed I had been going to ask why your site didn't list them.  I presume though that digital signatures makes that unnecessary?   It might be a good idea (if that's the case) if the website was updated to tell downloaders that they should check the digital signature on any file they download to be certain they've got a complete and non-corrupt file.

 

I've downloaded and run SigCheck too; for anyone who doesn't want to install the MS Windows SDK or Visual Studio to get SignTool.exe, this is clearly a simple and easy alternative.

 

Thank-you for your help.

Link to post
Share on other sites

Thanks; I've been using NirSoft's HashMyFiles - http://www.nirsoft.net/utils/hash_my_files.html - for one-off checks; one neat feature there is that once a set of files have been hashed if one copies a hash literal string (eg from a website page) into the clipboard the app will automatically highlight any of the displayed file hashes that match that value.   You don't have to paste the hex string into a field in the app for that to be done.    The app I use for file searching also has a facility to hash each file it looks at.  One can save that information easily, and also search for files with specific hashes.  Indeed one could search for files with a partial hash eg "23A9" occurring in their hash value - though goodness knows why one would want to!  

Link to post
Share on other sites

Ok, as long as you know an easy tool to use for the hashes it's good.

I'm pretty sure when you download another signed file the same size or bigger than the EISP setup file, you won't see the digital signatures tab in XP either. It's just a weird XP bug that solved itself on my XP test system. 

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...