a2trust.dat & a2wl.dat files question

[Nick 10]

Hello,

Could you please tell me which of the following two files contains the Emsisoft's digital signature blacklist (digital signatures that have been used in connection with fraudulent or malicious activities in the past): a2trust.dat or a2wl.dat?

Thanks,

N.

[Fabian Wosar 390]

a2trust.dat .

[blues 1]

FWIW, I'm showing that "trust" was last updated on 11/1 whereas "a2wl" was last updated this morning. (Running XP Pro SP3)

I hope that this is current?

[Nick 10]

a2trust.dat .

Thank you very much for your quick reply, Fabian.

I've asked because (due to this recent issue) I'm temporarily disabling the following option: In addition, automatically trust programs signed with valid digital signatures.

Unfortunately the file that contains the Emsisoft's digital signature blacklist it's also the one that is not being updated.

Best regards,

N.

[blues 1]

Any further info regarding when the last time the "trust" file was updated?

I'm still showing November 1 for "trust" though "a2wl" was updated again last night just after 11 pm.

(As a result I've taken the same step as Nick has in disabling the option to automatically trust programs with "valid digital signatures".)

Thanks in advance.

[dallas7 1]

This is an interesting thread and now my curiosity is tweaked...

Just to be clear, we're discussing the "Date Modified" date stamp. Right?

I notice these dat files exist in two places in each of my OA++ and OAP installs: in the Online Armor root folder and the a2 subfolder. As of this posting the stamps for a2trust are respectively 9/27 and 3/25 in OAP and 10/19 and 10/24 in OA++. FYI, run and update Emergency Kit (a2emergencykit.exe) and that file is 10/24.

I have had In addition, automatically trust programs signed with valid digital signatures always enabled since installing OA on my two systems for the first time early in October. Does that needed to be disabled in order for a2trust.dat to get updated?

And is it my understanding that the blacklist is handled by a file named a2trust.dat?

Cheers.

[blues 1]

I did a clean install of OA (Free) three or four days back. It appears that a2wl.dat is being updated nightly around 11 pm local time. (If the a2trust.dat file has been updated I've seen no indication since the fresh install.)

As of the time of this post, here is what I have for each:

a2trust.dat: fcbaeda2193291712a7158f353052d87

a2wl.dat: 7c7643f82a675574d0c0f7396df60ce1

AFAIK, you don't need to disable the blacklist option for it to be updated, this should be automatic. Nick and I disabled it so as to not have OA make decisions based upon (possibly) obsolete data.

[catprincess 19]

I don't think the blacklist updates are as frequent as the whitelist updates - they would only need to be updated when a certificate was found to be being abused and had to be added whereas new certificates to add to the whitelist would be occurring daily or thereabouts. This can be seen in the fact that the blacklist file (a2trust.dat) is much smaller than (the whitelist file (a2wl.dat).

[blues 1]

Makes purr-fect sense, Cat. Hopefully we can get some confirmation on the md5 hash so we can verify whether we are up to date or not. Thanks for chiming in.

[catprincess 19]

The details of the a2trust.dat file that is present on my installation of 5.1.1.1395 are as follows:

File size: 28087 bytes

MD5: fcbaeda2193291712a7158f353052d87

SHA1: cd5b68aaacfc1f6b996a97ee83e89a78604fa7b2

[blues 1]

Thanks, Cat, I too have the same MD5 and file size on my installation of 5.1.1.1395

[Nick 10]

We posted file details in this recent thread. However, having received no official confirmation, I assumed that I've been having an issue with the a2trust.dat file update.

[Rob R. 20]

a2wl.dat and a2trust.dat updates are mentioned here: http://www.emsisoft.de/a2/changelog/antimalware/

Seems to me the last update for a2trust.dat was 2011-09-27 15:30

The Date Modified or Date Created is different on our systems If the file is replaced during an upgrade install or created during a fresh install of OA.

[Nick 10]

Thanks, ctrlaltdelete. Could we infer that the a2trust.dat file ( 2011-09-27 15:30, MD5: fcbaeda2193291712a7158f353052d87) is up to date, or not?

You may know about the recent DigiCert Sdn. Bhd. affair. Should we expect a file update soon? - I'm asking because I'd like to be sure that it's really working.

Regards,

N.

[catprincess 19]

We posted file details in this recent thread. However, having received no official confirmation, I assumed that I've been having an issue with the a2trust.dat file update.

In the thread you refer to, the hash you posted of your a2trust.dat matched the hash that Fabian posted for that file. I'm not sure I understand why you'd think there was a problem with that file in this case?

[Nick 10]

Because originally there was an update issue that was fixed - see this post - so, after the fix, we confirmed that a2wl.dat was up to date but a2trust.dat was not (i.e. the file had never changed since my OP).

At that point Andrey asked us about the MD5 of the file (MD5 after the update and MD5 after the upgrade) - see this other post - and we replied.

No more info or confirmation at that point.

This is the reason why I thought there was a problem with that file - and I was not the only one.

[catprincess 19]

Referring to that thread, I don't see any evidence that there was ever an issue with your a2trust.dat file. The hash you posted matched the one that Fabian posted for reference. a2wl.dat was the file that wasn't up to date on your system - your hash did not match Fabian's. This issue is what I think was being referred to as now having been fixed. You should be receiving daily (or thereabouts) updates to a2wl.dat and would see this listed in History as two entries one after the other titled "Automatic update" - "New threat database has been downloaded and installed" and "New version of Online Armor components has been downloaded as installed". The same message occurs if there is an update to the blacklist though.

[stapp 160]

When it says 'New version of Online Armor components has been downloaded and installed' most people will take this to mean that it is some kind of update to OA itself and not just a signature and rules update.

If the bubble just said that a new threat database had been downloaded (as it says in history) it would not be so misleading to a user.

The very fact that this thread exists and the confusion that surrounds both the files and the info given via OA popups shows, in my view, that it perhaps could be handled better.

[Rob R. 20]

If the message "New version of Online Armor components has been downloaded an installed" would be changed to something like "Update installed successfully" there would be no confusion.

Seems to me that's an easy solution. If other components are updated and a reboot is required another pop-up about the required reboot will appear anyway. To get rid of the extra message after the a2wl.dat update only, will require a lot of coding.

[Nick 10]

Just to clarify - and sorry once again for my English - I've never had any problems with the interpretation of those messages. I thought that the update issue was not yet solved in my case, just because no one in the other thread has (officially or not) said: "Hey Nick, don't worry, your a2wl.dat file is up to date!".

If other components are updated and a reboot is required another pop-up about the required reboot will appear anyway.

Not sure if you get that reboot pop-up if OA is password-protected and the GUI still locked, though. I should check.

[catprincess 19]

Just to clarify - and sorry once again for my English - I've never had any problems with the interpretation of those messages. I thought that the update issue was not yet solved in my case, just because no one in the other thread has (officially or not) said: "Hey Nick, don't worry, your a2wl.dat file is up to date!".

Do you see daily entries in History with the messages I mentioned earlier? If you do, then your a2wl.dat file is definitely updating. Those entries in History only occur when updates were found and installed. The date modified time stamp of a2wl.dat (located in the root directory of the Online Armor folder, not the one located in the A2 folder) should also be changing approximately every day (depending on your update settings)- for example, at the moment mine is showing today's date as it just updated a hour or so ago. The blacklist (a2trust.dat) hasn't changed since I installed 5.1.1.1395 but the changelog that ctrlaltdelete posted earlier doesn't list any blacklist updates since then so I wouldn't expect the date modified to have changed on that file at this time.

You can verify this by looking at the changelog http://www.emsisoft....og/antimalware/ and searching the page for "Trust check signatures" you'll see the most recent date and time for this phrase (which refers to a blacklist update) listed as:

2011-09-27 15:30:

Trust check signatures (revised)

Signatures to verify digitally signed files

If you search the same page for "Whitelist signatures" you'll see the most recent date and time for this phrase (which refers to a whitelist update) listed as:

2011-11-13 00:58:

Whitelist signatures (revised)

Signatures for known good applications

[Nick 10]

Do you see daily entries in History with the messages I mentioned earlier? If you do, then your a2wl.dat file is definitely updating. Those entries in History only occur when updates were found and installed. The date modified time stamp of a2wl.dat (located in the root directory of the Online Armor folder, not the one located in the A2 folder) should also be changing approximately every day (depending on your update settings)- for example, at the moment mine is showing today's date as it just updated a hour or so ago.

I'm sorry for this but when I posted my latest message I accidentally wrote "a2wl.dat" instead of "a2trust.dat" (I'm not able to edit it). What I really meant to say was that unfortunately no one in the other thread told me (officially or not) my a2trust.dat file was up to date.

The blacklist (a2trust.dat) hasn't changed since I installed 5.1.1.1395 but the changelog that ctrlaltdelete posted earlier doesn't list any blacklist updates since then so I wouldn't expect the date modified to have changed on that file at this time.

Thank you very much for having clarified the matter.

As stated earlier, I was simply waiting for a confirmation or alternatively for useful directions when I started the aforementioned thread and kept posting on it. Now I have both.

Regards,

N.

[catprincess 19]

You're welcome Nick