Author Topic: avast free installer file certificate sha1 out of date - malware ?  (Read 5037 times)

0 Members and 1 Guest are viewing this topic.

Offline mapman

  • Newbie
  • *
  • Posts: 9
I need some advice/help please;

I downloaded & installed avast free using installer from avast.com, but the sha1 certificate was out of date by approx 1 month. however the sha256 certificate was valid. (both certs were signed in july)

I downloaded & installed avast free on 2nd laptop. this time installer file had 2 valid certs, and both signed in november.

Have I used a malicious installer on first laptop ?

If yes, what do i need to do to make sure laptop is not compromised with malware ?

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: avast free installer file certificate sha1 out of date - malware ?
« Reply #1 on: November 13, 2019, 01:58:38 PM »
Have I used a malicious installer on first laptop ?
Where did you download it..?
Test the file at VT (https://www.virustotal.com) and post the link to the result here.
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline mapman

  • Newbie
  • *
  • Posts: 9
Re: avast free installer file certificate sha1 out of date - malware ?
« Reply #2 on: November 14, 2019, 05:49:12 PM »
from memory, I downloaded it from bits.avcdn.net. possibly en-ww location ?
The file was avast_free_antivirus_setup_online.exe  (i think, i'll check on the laptop)

How do I test the file at VT ?
(do i need to upload it somehow ?)




Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: avast free installer file certificate sha1 out of date - malware ?
« Reply #3 on: November 15, 2019, 08:14:27 AM »
Yes, upload/test it at VT.
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline mapman

  • Newbie
  • *
  • Posts: 9
Re: avast free installer file certificate sha1 out of date - malware ?
« Reply #4 on: November 15, 2019, 06:09:52 PM »
tested file at VT
link; 123892cb1f6076c35150d019ad61969a7301d4bd8e304fe9fe37fadecdab6c6c


Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline mapman

  • Newbie
  • *
  • Posts: 9
Re: avast free installer file certificate sha1 out of date - malware ?
« Reply #6 on: November 16, 2019, 06:34:58 PM »
thanks for looking into this for me,
however, I have a few questions to put my mind at rest;
on the file I submitted to VT the last submission date is 2019-11-06 01:45:13
where as I submitted it on 15th Nov !
(or tried to !)

So has VT analysed the file stored on my drive ?
(or is looking at an earlier submission by someone else ?)

(I uploaded a different file and the last submission  date was correct !)

I noticed some differences between the files I checked;

under relations it had 1 execution parent on the suspect file,

and under behaviour processes tree it had 3004 - factura.exe

is this all ok ?

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline mapman

  • Newbie
  • *
  • Posts: 9
Re: avast free installer file certificate sha1 out of date - malware ?
« Reply #8 on: November 22, 2019, 05:18:46 PM »
thanks for VT support link, lots of useful info, but didn't answer my questions !
the last submission date is still a puzzle !

I compared the details/behaviour with another avast installer downloaded using edge, hence my earlier qu's.
I also noticed some different calls, specifically;  IsDebuggerPresent and searching found the following description;

IsDebuggerPresent is a function available in the kernel32.dll library. This function is often used in malwares to complexify the reverse engineering because it will take different paths in the program's flow when the malware is analyzed in a user-mode debugger such as OllyDbg

I appreciate no engines detected the file as malicious, however, as the certificate was out of date, how sure are you, that the file hasn't been modified/tampered with ?

Offline NON

  • Japanese User
  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5475
  • Whatever will be, will be.
Re: avast free installer file certificate sha1 out of date - malware ?
« Reply #9 on: November 23, 2019, 10:19:48 AM »
Don't worry, the point of digital signature are there two:
- the certificate is not revoked
- the signed date is within its validity period

This means, even if the certificate is now expired, signed installer before its expiry is considered genuine.

Also Avast offers modified-version installer if you download from a affiliated link to determine its origins, so the signed date varies.

BTW, Virustotal link shows the latest result of the same file, so changes of last submission date means someone else submitted the same file again.
Desktop: Win10 Pro 22H2 64bit / Core i5-7400 3.0GHz / 32GB RAM / Avast 23 Premium Beta(Icarus) / Comodo Firewall
Notebook: Win10 Pro 22H2 64bit / Core i5-3340M 2.7GHz / 12GB RAM / Avast 23 Free / Windows Firewall Control
Server: Win11 Pro 23H2 64bit / Core i3-4010U 1.7GHz / 12GB RAM / Avast One 23 Essential

Avast の設定について解説しています。よろしければご覧ください。

Offline mapman

  • Newbie
  • *
  • Posts: 9
Re: avast free installer file certificate sha1 out of date - malware ?
« Reply #10 on: November 23, 2019, 05:04:11 PM »
thanks for reply,  however, i read recently that once a certificate is out of it's validity period, it will be removed from any revokation list to save the list getting too long.

This means you wouldn't know if the certificate had been revoked !

also, I have tried uploading the suspect installer several times, but the last submission date hasn't changed from  2019-11-06 . (I tried again just now, but the date is still the same !)

I wonder if something is blocking the upload ?

(I managed to upload a different file ok & last date was correct !)

Another question; why does Avast allow a certificate to expire ?
surely this isn't good from a security point of view !


Offline NON

  • Japanese User
  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5475
  • Whatever will be, will be.
Re: avast free installer file certificate sha1 out of date - malware ?
« Reply #11 on: November 23, 2019, 07:07:35 PM »
also, I have tried uploading the suspect installer several times, but the last submission date hasn't changed from  2019-11-06 . (I tried again just now, but the date is still the same !)

I wonder if something is blocking the upload ?
The link Asyn posed in #5 shows its submission date as 2019-11-22 for me?
I'm not quite sure but it is possible that Virustotal has some flood-prevention systems.

Quote
Another question; why does Avast allow a certificate to expire ?
As you see, Avast has new certificate that can sign executable in November.
For old installers, it is unavoidable since certificates can only be renewed (not extended) and of course time passed ;)
Desktop: Win10 Pro 22H2 64bit / Core i5-7400 3.0GHz / 32GB RAM / Avast 23 Premium Beta(Icarus) / Comodo Firewall
Notebook: Win10 Pro 22H2 64bit / Core i5-3340M 2.7GHz / 12GB RAM / Avast 23 Free / Windows Firewall Control
Server: Win11 Pro 23H2 64bit / Core i3-4010U 1.7GHz / 12GB RAM / Avast One 23 Essential

Avast の設定について解説しています。よろしければご覧ください。

Offline mapman

  • Newbie
  • *
  • Posts: 9
Re: avast free installer file certificate sha1 out of date - malware ?
« Reply #12 on: November 24, 2019, 01:02:04 PM »
thanks for reply,
2019-11-22 is the review date which matches the analysis date under details/history.
last submission date is still  2019-11-06. So, you could be right, that VT doesn't update every time.

your explanation of the certificate issue makes sense. (I was offered an old installer.)
qu; why does the file have 2 certificates though ?

and how can I get the latest installer ?
I seem to get a different file depending on which browser I use and which laptop !
Can you choose location or server ?


Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: avast free installer file certificate sha1 out of date - malware ?
« Reply #13 on: November 24, 2019, 01:05:38 PM »
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline mapman

  • Newbie
  • *
  • Posts: 9
Re: avast free installer file certificate sha1 out of date - malware ?
« Reply #14 on: November 24, 2019, 01:57:49 PM »
many thanks for all advice received.

I found this article, which explains why I was concerned.

https://www.symantec.com/connect/blogs/malware-being-signed-multiple-digital-certificates-evade-detection

what is your view on this ?