Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SEP Vs Change in how signatures are verified for binaries signed with the Windows Authenticode signature format

Created: 29 Jul 2014 • Updated: 24 Aug 2014 | 4 comments
This issue has been solved. See solution.

Hi All,

Hope Symantec is aware of this below Microsoft update..

Change in how signatures are verified for binaries signed with the Windows Authenticode signature format Effective from:  August 12, 2014.

After 12th Aug the new default behavior for Windows Authenticode signature verification will no longer allow extraneous information in the WIN_CERTIFICATE structure. Note that after August 12, 2014, Windows will no longer recognize non-compliant binaries as signed.

The Security bulletin for this patch is : https://support.microsoft.com/kb/2893294

Concerned Microsoft Security Advisory : https://technet.microsoft.com/library/security/2915720

 

Please advise..If any action required for SEP for the above change...

 

 

Regards,

Sankara Subramanian

Operating Systems:

Comments 4 CommentsJump to latest comment

.Brian's picture

Haven't seen anything yet, best to contact support at this time.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Sankara's picture

Hi All,

Got an update from Microsoft that, we can ignore until further notification from Microsoft.

 

Thanks,

.Brian's picture

Thanks for updating the thread.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Dhasan's picture

Hi sankara,

 

Thats was suppose to be triggered on Aug 12th as the functionality is already installed with MS13-098,

 

Again it won't get enabled unless you make the registry change

 

The information is available on http://technet.microsoft.com/en-us/library/2915720.aspx .

 

How will Microsoft implement the stricter Windows Authenticode signature verification behavior? 
On December 10, 2013, Microsoft released Security Bulletin MS13-098 to deploy the underlying code for stricter Authenticode Signature verification behavior. Previously, this advisory announced that by August 12, 2014 Microsoft would enable the changes implemented with MS13-098 as default functionality. However, as we worked with customers to adapt to this change, we determined that the impact to existing software could be high. Therefore, Microsoft no longer plans to enforce the stricter verification behavior as a default requirement. The underlying functionality for stricter verification remains in place, however, and can be enabled at customer discretion.

How can I enable the new signature verification behavior? 
Customers who would like to enable the new Authenticode signature verification behavior can do so by setting a key in the system registry. When the key is set, Windows Authenticode signature verification will no longer recognize binaries with Authenticode signatures that contain extraneous information in the WIN_CERTIFICATE structure. Customers can choose to disable the functionality at any time by disabling this registry key. See Suggested Actions below for instructions.

I enabled this change, do I need to do anything now that it will not be enforced by default? 
Customers who have already enabled the stricter verification behavior, and have not experienced problems, can choose to leave the verification behavior enabled. Customers who are experiencing application compatibility problems with the new behavior, or customers who simply want to disable the new behavior, can disable the functionality by removing the EnableCertPaddingCheck registry key. See Suggested Actions below for instructions.

I did not enable this change, do I need to do anything now that it will not be enforced by default? 
No. The stricter verification behavior that was installed with MS13-098 will reside on the system but will be dormant functionality until enabled.

 

Yes you are correct...even i got the infomration that they asked us to ignore it unitll further notice from MS.

 

 

By,

Dhanshan

SOLUTION