Nick

a2trust.dat & a2wl.dat files question

Recommended Posts

Hello,

Could you please tell me which of the following two files contains the Emsisoft's digital signature blacklist (digital signatures that have been used in connection with fraudulent or malicious activities in the past): a2trust.dat or a2wl.dat?

Thanks,

N.

Share this post


Link to post
Share on other sites

FWIW, I'm showing that "trust" was last updated on 11/1 whereas "a2wl" was last updated this morning. (Running XP Pro SP3)

I hope that this is current?

Share this post


Link to post
Share on other sites

a2trust.dat :).

Thank you very much for your quick reply, Fabian.

I've asked because (due to this recent issue) I'm temporarily disabling the following option: In addition, automatically trust programs signed with valid digital signatures.

Unfortunately the file that contains the Emsisoft's digital signature blacklist it's also the one that is not being updated.

Best regards,

N.

Share this post


Link to post
Share on other sites

Any further info regarding when the last time the "trust" file was updated?

I'm still showing November 1 for "trust" though "a2wl" was updated again last night just after 11 pm.

(As a result I've taken the same step as Nick has in disabling the option to automatically trust programs with "valid digital signatures".)

Thanks in advance.

Share this post


Link to post
Share on other sites

This is an interesting thread and now my curiosity is tweaked...

Just to be clear, we're discussing the "Date Modified" date stamp. Right?

I notice these dat files exist in two places in each of my OA++ and OAP installs: in the Online Armor root folder and the a2 subfolder. As of this posting the stamps for a2trust are respectively 9/27 and 3/25 in OAP and 10/19 and 10/24 in OA++. FYI, run and update Emergency Kit (a2emergencykit.exe) and that file is 10/24.

I have had In addition, automatically trust programs signed with valid digital signatures always enabled since installing OA on my two systems for the first time early in October. Does that needed to be disabled in order for a2trust.dat to get updated?

And is it my understanding that the blacklist is handled by a file named a2trust.dat?

Cheers.

Share this post


Link to post
Share on other sites

I did a clean install of OA (Free) three or four days back. It appears that a2wl.dat is being updated nightly around 11 pm local time. (If the a2trust.dat file has been updated I've seen no indication since the fresh install.)

As of the time of this post, here is what I have for each:

a2trust.dat: fcbaeda2193291712a7158f353052d87

a2wl.dat: 7c7643f82a675574d0c0f7396df60ce1

AFAIK, you don't need to disable the blacklist option for it to be updated, this should be automatic. Nick and I disabled it so as to not have OA make decisions based upon (possibly) obsolete data.

Share this post


Link to post
Share on other sites

I don't think the blacklist updates are as frequent as the whitelist updates - they would only need to be updated when a certificate was found to be being abused and had to be added whereas new certificates to add to the whitelist would be occurring daily or thereabouts. This can be seen in the fact that the blacklist file (a2trust.dat) is much smaller than (the whitelist file (a2wl.dat).

Share this post


Link to post
Share on other sites

Makes purr-fect sense, Cat. Hopefully we can get some confirmation on the md5 hash so we can verify whether we are up to date or not. Thanks for chiming in.

Share this post


Link to post
Share on other sites

The details of the a2trust.dat file that is present on my installation of 5.1.1.1395 are as follows:

File size: 28087 bytes

MD5: fcbaeda2193291712a7158f353052d87

SHA1: cd5b68aaacfc1f6b996a97ee83e89a78604fa7b2

Share this post


Link to post
Share on other sites

We posted file details in this recent thread. However, having received no official confirmation, I assumed that I've been having an issue with the a2trust.dat file update.

Share this post


Link to post
Share on other sites

Thanks, ctrlaltdelete. Could we infer that the a2trust.dat file ( 2011-09-27 15:30, MD5: fcbaeda2193291712a7158f353052d87) is up to date, or not?

You may know about the recent DigiCert Sdn. Bhd. affair. Should we expect a file update soon? - I'm asking because I'd like to be sure that it's really working.

Regards,

N.

Share this post


Link to post
Share on other sites

We posted file details in this recent thread. However, having received no official confirmation, I assumed that I've been having an issue with the a2trust.dat file update.

In the thread you refer to, the hash you posted of your a2trust.dat matched the hash that Fabian posted for that file. I'm not sure I understand why you'd think there was a problem with that file in this case?

Share this post


Link to post
Share on other sites

Because originally there was an update issue that was fixed - see this post - so, after the fix, we confirmed that a2wl.dat was up to date but a2trust.dat was not (i.e. the file had never changed since my OP).

At that point Andrey asked us about the MD5 of the file (MD5 after the update and MD5 after the upgrade) - see this other post - and we replied.

No more info or confirmation at that point.

This is the reason why I thought there was a problem with that file - and I was not the only one.

Share this post


Link to post
Share on other sites

Referring to that thread, I don't see any evidence that there was ever an issue with your a2trust.dat file. The hash you posted matched the one that Fabian posted for reference. a2wl.dat was the file that wasn't up to date on your system - your hash did not match Fabian's. This issue is what I think was being referred to as now having been fixed. You should be receiving daily (or thereabouts) updates to a2wl.dat and would see this listed in History as two entries one after the other titled "Automatic update" - "New threat database has been downloaded and installed" and "New version of Online Armor components has been downloaded as installed". The same message occurs if there is an update to the blacklist though.

Share this post


Link to post
Share on other sites

When it says 'New version of Online Armor components has been downloaded and installed' most people will take this to mean that it is some kind of update to OA itself and not just a signature and rules update.

If the bubble just said that a new threat database had been downloaded (as it says in history) it would not be so misleading to a user.

The very fact that this thread exists and the confusion that surrounds both the files and the info given via OA popups shows, in my view, that it perhaps could be handled better.

Share this post


Link to post
Share on other sites

If the message "New version of Online Armor components has been downloaded an installed" would be changed to something like "Update installed successfully" there would be no confusion.

Seems to me that's an easy solution. If other components are updated and a reboot is required another pop-up about the required reboot will appear anyway. To get rid of the extra message after the a2wl.dat update only, will require a lot of coding.

Share this post


Link to post
Share on other sites

Just to clarify - and sorry once again for my English - I've never had any problems with the interpretation of those messages. I thought that the update issue was not yet solved in my case, just because no one in the other thread has (officially or not) said: "Hey Nick, don't worry, your a2wl.dat file is up to date!".

If other components are updated and a reboot is required another pop-up about the required reboot will appear anyway.

Not sure if you get that reboot pop-up if OA is password-protected and the GUI still locked, though. I should check.

Share this post


Link to post
Share on other sites

Just to clarify - and sorry once again for my English - I've never had any problems with the interpretation of those messages. I thought that the update issue was not yet solved in my case, just because no one in the other thread has (officially or not) said: "Hey Nick, don't worry, your a2wl.dat file is up to date!".

Do you see daily entries in History with the messages I mentioned earlier? If you do, then your a2wl.dat file is definitely updating. Those entries in History only occur when updates were found and installed. The date modified time stamp of a2wl.dat (located in the root directory of the Online Armor folder, not the one located in the A2 folder) should also be changing approximately every day (depending on your update settings)- for example, at the moment mine is showing today's date as it just updated a hour or so ago. The blacklist (a2trust.dat) hasn't changed since I installed 5.1.1.1395 but the changelog that ctrlaltdelete posted earlier doesn't list any blacklist updates since then so I wouldn't expect the date modified to have changed on that file at this time.

You can verify this by looking at the changelog http://www.emsisoft....og/antimalware/ and searching the page for "Trust check signatures" you'll see the most recent date and time for this phrase (which refers to a blacklist update) listed as:

2011-09-27 15:30:

Trust check signatures (revised)

Signatures to verify digitally signed files

If you search the same page for "Whitelist signatures" you'll see the most recent date and time for this phrase (which refers to a whitelist update) listed as:

2011-11-13 00:58:

Whitelist signatures (revised)

Signatures for known good applications

Share this post


Link to post
Share on other sites

Do you see daily entries in History with the messages I mentioned earlier? If you do, then your a2wl.dat file is definitely updating. Those entries in History only occur when updates were found and installed. The date modified time stamp of a2wl.dat (located in the root directory of the Online Armor folder, not the one located in the A2 folder) should also be changing approximately every day (depending on your update settings)- for example, at the moment mine is showing today's date as it just updated a hour or so ago.

I'm sorry for this but when I posted my latest message I accidentally wrote "a2wl.dat" instead of "a2trust.dat" (I'm not able to edit it). What I really meant to say was that unfortunately no one in the other thread told me (officially or not) my a2trust.dat file was up to date.

The blacklist (a2trust.dat) hasn't changed since I installed 5.1.1.1395 but the changelog that ctrlaltdelete posted earlier doesn't list any blacklist updates since then so I wouldn't expect the date modified to have changed on that file at this time.

Thank you very much for having clarified the matter.

As stated earlier, I was simply waiting for a confirmation or alternatively for useful directions when I started the aforementioned thread and kept posting on it. Now I have both.

Regards,

N.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.