5 Replies Latest reply: Aug 30, 2013 4:43 PM by rmetzger RSS

    Should I trust 7179xdat.exe when not signed?

    rmetzger

      Normally, McAfee signs executables with appropriate certificates. Upon download, I check the validity of the signature to ensure that the downloaded file's integrity is complete.

       

      Whenever I download any executable file from a security firm, like McAfee, I test the integrity of the download by checking it's signature. I have been doing this for well over 2 years. I use Microsoft/Sysinternal's SigCheck.exe to test signatures.

       

      Lately, I have found that sometimes XXXXxdat.exe files have not been signed. Here is SigCheck's results on 7179's .exe:

       

      .\7179xdat.exe:

             Verified:       Unsigned

             Link date:      5:23 AM 11/12/2010

             Publisher:      McAfee, Inc.

             Description:    SuperDAT Stub

             Product:        McAfee Core Components

             Version:        2.5

             File version:   2.5.171

             Strong Name:    Unsigned

             Original Name:  SDStub86.exe

             Internal Name:  SDStub86

             Copyright:      Copyright⌐ 2010 McAfee, Inc. All Rights Reserved.

             Comments:       n/a

             MD5:    2D6E1B1421A91DFFEF6D9E0A82170B75

             PESHA1: 5CA940C2208AD72B0DFA1B855A266BA9D974ED04

             PE256:  99B046BD199DE25B13C71270FD5D916019EEA7211E653F93020DF6268973361C

             SHA256: FA41D60D14957FD5852F7F476D6E02EAC39D822C9718D45F9B1FE31E13C8E15C

       

      Here is yesterdays (7178.xdat.exe):

      .\7178xdat.exe:

             Verified:       Signed

             Signing date:   2:21 AM 8/25/2013

             Publisher:      McAfee

             Description:    SuperDAT Stub

             Product:        McAfee Core Components

             Version:        2.5

             File version:   2.5.171

             Strong Name:    Unsigned

             Original Name:  SDStub86.exe

             Internal Name:  SDStub86

             Copyright:      Copyright⌐ 2010 McAfee, Inc. All Rights Reserved.

             Comments:       n/a

             MD5:    0A5BCE6902B14CB693FE4E0F67CA3568

             PESHA1: A77AA8940EADDE8674A0441AF1292521AD4790B8

             PE256:  7917E3180572D7873E3016D8F606ED43B4AA10ED8CC884AE20AC2190DC0E2528

             SHA256: 1E2BD5752186F33E152071A425887AE21D755C93583B53410394B971CF414DDB

       

      Same thing happened with 7172xdat.exe.

       

      Why is there a difference in the signatures?

      Did someone from McAfee forget to Sign this file? (I would have thought this process, automated.)

       

      Should I trust 7179xdat.exe given the Signature verification is Unsigned?

      Am I just being paranoid?

       

      Comments?

       

      Thanks,

      Ron Metzger

        • 1. Re: Should I trust 7179xdat.exe when not signed?
          rmetzger

          Second day: 7180xdat.exe is Unsigned.

           

          McAfee: Is this going to be the new normal?

           

          Waiting for today's new release: 7181xdat.exe. Will it be Signed or Unsigned?

           

          Ron Metzger

          • 2. Re: Should I trust 7179xdat.exe when not signed?
            rmetzger

            Thank you, 'McAfee'

             

            7181xdat.exe has been Signed.

             

            Any idea as to why this Signed/Unsigned behavior is occurring?

             

            Thanks,

            Ron Metzger

            • 3. Re: Should I trust 7179xdat.exe when not signed?
              welshman

              I just tried to remove an infection using the virus removal took on my McAfee screen. I ran the 7181 execution, but when I tried to view the download,

              a screen popped up saying that it could not find the something or other in McAfee something. I couldn't understand what it said, and it disappeared

              immediately.

              Have you any idea what this means?

              • 4. Re: Should I trust 7179xdat.exe when not signed?
                rmetzger

                Hi welshman,

                welshman wrote:

                 

                I just tried to remove an infection using the virus removal took on my McAfee screen. I ran the 7181 execution, but when I tried to view the download,

                a screen popped up saying that it could not find the something or other in McAfee something. I couldn't understand what it said, and it disappeared

                immediately.

                Have you any idea what this means?

                Well, to help, we need far more info.

                 

                • What tool are you using?
                • What version of VSE are you using? (Is it VSE or the retail version?)
                • What infection are you experiencing? (What is the reported name of the infection?)
                • When did you first note the infection?
                • Can you try and document what the 7181 execution is saying?
                • What else have you done to clear the infection?

                 

                Let me clarify a few things (regarding this thread).

                7181xdat.exe is not a virus removal tool, but a DAT signature update program.

                 

                My query about 'Signed' or 'Unsigned' 'Signatures' within a XXXXxdat.exe file refer to Executable (of the PE type) being 'Signed' (or not). This has nothing to do with VSE DAT Signatures. (The 'Signature' term is easily confused but entirely different in it's meaning here.) It just so happens that XXXXxdat.exe files contains VSE DAT 'signature' files.

                 

                My initial thread stated a query about trusting a downloaded xdat.exe file. A 'Signed' .exe file can be tested for the validity of the signature (executable signing, not DAT). If a single byte of a Signed executable has been altered, for any reason, the executable Signature will be Invalid.

                 

                If a file is downloaded and infected or corrupted as part of the download process, such as a local copy of 7181xdat.exe, then the executable signature will be invalid. I test this executable signature using Mark Russinovich's (of Sysinternals/Microsoft) Sigcheck.exe. If the download gets corrupted or the file gets altered then the executable signature is invalid and my 'trust' of that local file would be invalid as well.

                (see: http://technet.microsoft.com/en-us/sysinternals/bb897441 )

                 

                My issue with Signed or Unsigned executable files (with regards to XXXXxdat.exe files) is my way of verifying the downloaded file is unaltered and trustworthy. When signed, I can test the validity. If Unsigned, I cannot test it's unaltered state.

                 

                If the XXXXxdat.exe file is signed and the unaltered state validated, then the embedded DAT signature files can be trusted.

                 

                As far as your system is concerned, an infection and cleaning would probably be best discussed here (under Malware Discussion/Communities):

                https://community.mcafee.com/community/security/malware_discussion

                 

                Thanks,

                Ron Metzger

                 

                on 8/30/13 5:49:40 PM EDT
                • 5. Re: Should I trust 7179xdat.exe when not signed?
                  rmetzger

                  rmetzger wrote:

                   

                  Thank you, 'McAfee'

                   

                  7181xdat.exe has been Signed.

                   

                  7182 and 7183xdat.exe are signed as well.

                   

                  I assume the problem is solved. I will continue to monitor this.

                   

                  Can anyone elaborate on the reasons why this happened?

                  Is it related to one of Microsoft's hotfixes regarding MD5 hash chaining?

                   

                  Thanks,

                  Ron Metzger