Windows sysinternals

262 Part II Usage Guide
FIGURE 8-1 Output from sigcheck –a –i –h c:\windows\explorer.exe.
A digital signature associated with a file helps to ensure the file’s authenticity and integrity.
A verified signature demonstrates that the file came from the owner of the code-signing
certificate and that the file has not been modified since its signing. The assurance provided
by a code-signing certificate depends largely on the diligence of the certification authority
(CA) that issued the certificate to authenticate the proposed owner, on the diligence of the
certificate owner to protect the certificate’s private key from disclosure, and on the verifying
system not allowing the installation of rogue root CA certificates.
As part of the cost of doing business and providing assurance to customers, most legitimate
software publishers will purchase a code-signing certificate from a legitimate CA, such as
VeriSign or Thawte, and sign the files they distribute to customer computers. The lack of a
valid signature on an executable file that purports to be from a legitimate publisher is reason
for suspicion.
Note In the past, malware was rarely signed. As the sophistication of malware publishers has
increased, however, even this is no longer a guarantee. Some malware publishers are now setting
up front organizations and purchasing code-signing certificates from legitimate CAs. Others are
stealing poorly-protected private keys from legitimate businesses and using those keys to sign
malware.
SigCheck’s command-line parameters provide numerous options for performing verifications,
specifying the files to scan, and formatting output. The syntax is shown here, followed by
Table 8-1, which provides a summary of the parameters:
sigcheck.exe [-e] [-s] [-i] [-r] [-u] [-c catalogFile] [-a] [-h] [-m] [-n] [-v] [-q] target
www.it-ebooks.info