Avast WEBforum
Other => General Topics => Topic started by: mapman on November 13, 2019, 01:48:51 PM
-
I need some advice/help please;
I downloaded & installed avast free using installer from avast.com, but the sha1 certificate was out of date by approx 1 month. however the sha256 certificate was valid. (both certs were signed in july)
I downloaded & installed avast free on 2nd laptop. this time installer file had 2 valid certs, and both signed in november.
Have I used a malicious installer on first laptop ?
If yes, what do i need to do to make sure laptop is not compromised with malware ?
-
Have I used a malicious installer on first laptop ?
Where did you download it..?
Test the file at VT (https://www.virustotal.com) and post the link to the result here.
-
from memory, I downloaded it from bits.avcdn.net. possibly en-ww location ?
The file was avast_free_antivirus_setup_online.exe (i think, i'll check on the laptop)
How do I test the file at VT ?
(do i need to upload it somehow ?)
-
Yes, upload/test it at VT.
-
tested file at VT
link; 123892cb1f6076c35150d019ad61969a7301d4bd8e304fe9fe37fadecdab6c6c
-
OK, it's clean.
https://www.virustotal.com/gui/file/123892cb1f6076c35150d019ad61969a7301d4bd8e304fe9fe37fadecdab6c6c/detection
-
thanks for looking into this for me,
however, I have a few questions to put my mind at rest;
on the file I submitted to VT the last submission date is 2019-11-06 01:45:13
where as I submitted it on 15th Nov !
(or tried to !)
So has VT analysed the file stored on my drive ?
(or is looking at an earlier submission by someone else ?)
(I uploaded a different file and the last submission date was correct !)
I noticed some differences between the files I checked;
under relations it had 1 execution parent on the suspect file,
and under behaviour processes tree it had 3004 - factura.exe
is this all ok ?
-
-> https://support.virustotal.com/hc/en-us/categories/360000162878-Documentation
-
thanks for VT support link, lots of useful info, but didn't answer my questions !
the last submission date is still a puzzle !
I compared the details/behaviour with another avast installer downloaded using edge, hence my earlier qu's.
I also noticed some different calls, specifically; IsDebuggerPresent and searching found the following description;
IsDebuggerPresent is a function available in the kernel32.dll library. This function is often used in malwares to complexify the reverse engineering because it will take different paths in the program's flow when the malware is analyzed in a user-mode debugger such as OllyDbg
I appreciate no engines detected the file as malicious, however, as the certificate was out of date, how sure are you, that the file hasn't been modified/tampered with ?
-
Don't worry, the point of digital signature are there two:
- the certificate is not revoked
- the signed date is within its validity period
This means, even if the certificate is now expired, signed installer before its expiry is considered genuine.
Also Avast offers modified-version installer if you download from a affiliated link to determine its origins, so the signed date varies.
BTW, Virustotal link shows the latest result of the same file, so changes of last submission date means someone else submitted the same file again.
-
thanks for reply, however, i read recently that once a certificate is out of it's validity period, it will be removed from any revokation list to save the list getting too long.
This means you wouldn't know if the certificate had been revoked !
also, I have tried uploading the suspect installer several times, but the last submission date hasn't changed from 2019-11-06 . (I tried again just now, but the date is still the same !)
I wonder if something is blocking the upload ?
(I managed to upload a different file ok & last date was correct !)
Another question; why does Avast allow a certificate to expire ?
surely this isn't good from a security point of view !
-
also, I have tried uploading the suspect installer several times, but the last submission date hasn't changed from 2019-11-06 . (I tried again just now, but the date is still the same !)
I wonder if something is blocking the upload ?
The link Asyn posed in #5 shows its submission date as 2019-11-22 for me?
I'm not quite sure but it is possible that Virustotal has some flood-prevention systems.
Another question; why does Avast allow a certificate to expire ?
As you see, Avast has new certificate that can sign executable in November.
For old installers, it is unavoidable since certificates can only be renewed (not extended) and of course time passed ;)
-
thanks for reply,
2019-11-22 is the review date which matches the analysis date under details/history.
last submission date is still 2019-11-06. So, you could be right, that VT doesn't update every time.
your explanation of the certificate issue makes sense. (I was offered an old installer.)
qu; why does the file have 2 certificates though ?
and how can I get the latest installer ?
I seem to get a different file depending on which browser I use and which laptop !
Can you choose location or server ?
-
Best you download/use the offline installer: https://files.avast.com/iavs9x/avast_free_antivirus_setup_offline.exe
-
many thanks for all advice received.
I found this article, which explains why I was concerned.
https://www.symantec.com/connect/blogs/malware-being-signed-multiple-digital-certificates-evade-detection
what is your view on this ?
-
many thanks for all advice received.
You're welcome.
PS: No need to dig deeper, you're good to go.
-
I downloaded the offline installer as advised and ran VT on it. But 3 engines flagged it as trojan !
925e863b49b8aef3393d345700fca83d7ce01d08f5fb07f471b62529df03ef10
are these false positives ?
also the sha1 certificate is out of date. the sha256 is valid.
I also ran VT on url wireshark.org and 1 engine CRDF flagged the site as malicious !
how do I interprit this i.e. is it a safe site ?
(3 months previous it was clean I think )
again ran VT on www.malwarebytes.com and 1 engine Quttera flagged as malicious.
when I clicked malwarebytes link VT gave more details including 10 urls detected under domain.
is this safe site ?