Re: Why are programs not digitally signed to protect against viruses?

From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 06/29/05 

Date: Wed, 29 Jun 2005 01:39:29 -0700

Correct me if I am wrong Steve, but one can also, for example, use
SRP to state such as: don't let it run unless it is signed by our org or
by Microsoft, which would cover approved apps and the OS. 

-- 
Roger Abell
Microsoft MVP (Windows Server: Security)
"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message 
news:mfGdnYlXq7vkfFzfRVn-pw@comcast.com...
> My guess is that may be related to issues with cost, development time, and 
> performance. Windows XP Pro offers Software Restriction Policies which can 
> be used to restrict what applications a user can install and execute based 
> on hash, certificate, and path rules with default security levels of 
> unrestricted or disallowed. If you are interested in SRP see the link 
> below. The free tools from SysInternals - Process Explorer and Autoruns 
> will also tell you is the executable associated with a process is 
> digitally signed or not though as you mention that fact that a file is not 
> digitally signed does not mean it is malicious.   --- Steve
>
> http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
>
> "S Marsden" <S Marsden@discussions.microsoft.com> wrote in message 
> news:42761726-E97B-4B7D-8FD1-DA004E6F8DCD@microsoft.com...
>> Why are Windows and all other software programs' dll's not digitally 
>> signed?
>> Wouldn't this make it a lot easier to determine what files on a computer 
>> were
>> valid, and which were potential viruses?
>>
>> When a dll or exe or cab file is signed, and you right click that file, 
>> you
>> will see a tab for "Digital Signatures" and you can verify that the file 
>> is
>> actually from who it says it is from. The "Versions" tab on file 
>> properties
>> shows the company but this can be easily spoofed by anyone who writes 
>> their
>> own program.
>>
>> Whenever we have a virus, we painstakingly go through each service and do
>> google, and symantec searches on it, to try and verify its authenticity. 
>> A
>> digital signature for each file would allow this process to be automated. 
>> The
>> computer could be scanned and all unsigned suspect programs could be
>> identified automatically.
>
>

Relevant Pages

  • Re: Prevent users from installing software
    ... SRP can be configured in a Windows 2000 domain via Group Policy but will ... only apply to XP Pro domain computers. ... > Hi Steve & Danny, ...
    (microsoft.public.win2000.security)
  • Re: General Misc. Questions re VB6
    ... In particular Steve's last post to me served to finally get me past the most frustrating blocks; my sincere thanks to Steve and everyone else who has been so helpfull; I know I can be pretty thick, ... But is there a better way to quickly erase several textboxes without having to explicitly type the txtName.Text="" for each one? ... drop-down shows an interesting collection of grays and 2 colors but not the at least 16 windows colors I would have expected. ... Not sure why you're getting only two colours, unless it's windows screen colours. ...
    (microsoft.public.vb.general.discussion)
  • Re: Mac advocacy again: Springer changes to Mac
    ... Steve de Mena wrote: ... Macs are more user friendly than other computers ... It also said they'll be running OS X, Windows Vista and Windows XP on ...
    (comp.sys.mac.advocacy)
  • Re: Macs not used in business?
    ... Steve de Mena wrote: ... its traditional Windows server architecture to install a similar ... The company considered upgrading its aging Windows XP terminal server ...
    (comp.sys.mac.advocacy)
  • Re: Morgan Stanley: 40% of college students plan to buy Macs
    ... Steve de Mena wrote: ... when people mainly had computers at home to do ... Windows version of the VPN client then that cross-compatability goes ...
    (comp.sys.mac.advocacy)