5 Replies Latest reply on Mar 4, 2014 10:25 AM by rmetzger

    How to determine if Frameworkservice.exe signature has changed

    ellisj1

      I have received two notifications via Tripwire that the Frameworkservice.exe signature has changed on two servers.  When I checked each server showed the following.  On Server1 the FrameworkService.exe file indicates that it was last modified on 9/25/2012, File Version 4.6.0.2988, product version 4.6.0; on Server 2 I show the Frameworkservice.exe indicates that it was last modified on 1/12/2011, File Version 4.5.0.1810.  Supposedly the signature changed on both of these files early this morning 26 Feb 2014.

      Both servers are Windows 2008 R2 Datacenter running McAfee 8.8 Antivirus.  How can I verify that the signature associated with these files did not change or indeed changed as indicated by Tripwire?

        • 1. Re: How to determine if Frameworkservice.exe signature has changed
          rmetzger

          Hi Ellisj1,

           

          Welcome to the forums.

           

          I haven't used Tripwire in many many years, so I am not sure of what Tripwire means when it says that the signature has 'changed.' My understanding is that the signature could only change if the file itself, in it's entirety, changed. Else the signature would no longer be valid.

           

          So the questions are: Is the signature valid on these files (FrameworkService.exe) on each of these servers? Did these files change recently?

           

          To check the signatures of these files I use Sigcheck.exe from Sysinternals.

          http://technet.microsoft.com/en-us/sysinternals/bb897441

           

          SigCheck.exe -accepteula -a -h -i -q "%ProgramFiles%\McAfee\Common Framework\Frameworkservice.exe"

          or

          SigCheck.exe -accepteula -a -h -i -q "%ProgramFiles(x86)%\McAfee\Common Framework\Frameworkservice.exe"

           

          This should give you a wealth of info regarding the signature and certificates embedded within Frameworkservice.exe. Note that there are several certificates each having a valid start and end date, which may have expired. Just because a certificate has expired, does not mean that the signature is invalid but rather the that the signer  (Verisign or thawte) no longer trusts the certificate beyond that end date. This may be something that Tripwire is noting, though this is only speculation on my part.

           

          Hope this helps. Let us know what you found.

          Ron Metzger

          1 of 1 people found this helpful
          • 2. Re: How to determine if Frameworkservice.exe signature has changed
            ellisj1

            I supplied the information provided via sigcheck above to the originating source for the Tripwire Incident Report but don't know yet if the information I provided is sufficient for their needs.

             

            Here is an example of the report they sent me.

             

            Security Incident Summary

            Main incident characteristics:

            • Assigned severity: Insufficient info (S0)
            • Risk: Low (0.13), confidence level : Low (17.78%)
            • Current status: ESCALATED

            Additional characteristics:

            • A total of 1 security incident(s) were reported consisting of 1 security event(s).
            • Native detection time of earliest security event: 06:00:45-Feb 26 2014 GMT (Etc/GMT)
            • Detected on the following devices:

            Sterling: TripwireServer (X.X.X.X)

            • Source(s):
              • Source ip address(es): x.x.x.x
              • Source port(s):
            • Destination(s):
              • Destination ip address(es):
              • Destination port(s):
            • Intrusion signature(s):
              • NID-SEAM-ModifiedFrameworkService-tripwire
            • Correlation reason:
            • Action(s):
              • modify

            More details on the individual security incident(s) and event(s) can be found in the appendix below.

             

            They had a couple of hyperlinks embedded in the email, but when I followed them I could not connect to the destination identified in the links.

             

            This type of a report doesn't give me much to work with...

            • 3. Re: How to determine if Frameworkservice.exe signature has changed
              rmetzger

              Hi Ellisj1,

               

              ellisj1 wrote:

               

              I supplied the information provided via sigcheck above to the originating source for the Tripwire Incident Report but don't know yet if the information I provided is sufficient for their needs.

              ...

              Action(s):

              • modify
              ... This type of a report doesn't give me much to work with...

              How about posting the SigCheck text here, so that we may see it. From that I may be able to see what is going on. (Is the Signature Invalid, Valid, or Valid but Expired?)

               

              While your at it, let us know which version of server Frameworkservice.exe came from and what version did you expect.

              And if possible, do you have another 'server' that should have the same version of Frameworkservice.exe on it.

               

              If you run SigCheck against it, does SigCheck provide exactly the same report as the first server? If not, what is different?

               

              Thanks,

              Ron Metzger

              • 4. Re: How to determine if Frameworkservice.exe signature has changed
                ellisj1

                Some of the servers started out with 8.5 or earlier and have been systematically upgraded over the years until they are at 8.8. Some servers are fresh installs of 8.8 and both types have been flagged for change. There were consecutive dates where Tripwire indicated the file had changed and when I compared the Sigcheck on those servers everything was exactly the same for both days and the date of the file had not changed at all.

                I have submitted my findings to the monitoring team who sent me the alerts but I have yet to hear back from them.  Here's the sigcheck for one of the servers.

                 

                C:\utils\Sigcheck>SigCheck.exe -accepteula -a -h -i -q "%ProgramFiles%\Network A

                ssociates\Common Framework\Frameworkservice.exe"

                c:\program files\network associates\common framework\FrameworkService.exe:

                        Verified:       Signed

                        Catalog:        c:\program files\network associates\common framework\Fra

                meworkService.exe

                        Signers:

                           McAfee

                                Status:         A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

                                Valid Usage:    Code Signing

                                Serial Number:  56 4A 36 1E 16 8A 81 A8 F3 EF

                                                AA DA 33 25 08 E1

                                Thumbprint:     4F638B91E12390598F037E533C0AEA529AD1A371

                                Algorithm:      SHA1

                                Valid from:     6:00 PM 9/12/2008

                                Valid to:       5:59 PM 10/9/2011

                           VeriSign Class 3 Code Signing 2004 CA

                                Status:         Valid

                                Valid Usage:    Client Auth, Code Signing

                                Serial Number:  41 91 A1 5A 39 78 DF CF 49 65

                                                66 38 1D 4C 75 C2

                                Thumbprint:     197A4AEBDB25F0170079BB8C73CB2D655E0018A4

                                Algorithm:      SHA1

                                Valid from:     6:00 PM 7/15/2004

                                Valid to:       5:59 PM 7/15/2014

                           VeriSign Class 3 Public Primary CA

                                Status:         Valid

                                Valid Usage:    Email Protection, Client Auth,

                                                Code Signing, Server Auth

                                Serial Number:  70 BA E4 1D 10 D9 29 34 B6 38

                                                CA 7B 03 CC BA BF

                                Thumbprint:     742C3192E607E424EB4549542BE1BBC53E6174E2

                                Algorithm:      MD2

                                Valid from:     6:00 PM 1/28/1996

                                Valid to:       5:59 PM 8/1/2028

                        Signing date:   5:55 PM 1/12/2011

                        Counter Signers:

                           VeriSign Time Stamping Services Signer - G2

                                Status:         A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

                                Valid Usage:    Timestamp Signing

                                Serial Number:  38 25 D7 FA F8 61 AF 9E F4 90

                                                E7 26 B5 D6 5A D5

                                Thumbprint:     ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE

                                Algorithm:      SHA1

                                Valid from:     6:00 PM 6/14/2007

                                Valid to:       5:59 PM 6/14/2012

                           VeriSign Time Stamping Services CA

                                Status:         A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

                                Valid Usage:    Timestamp Signing

                                Serial Number:  47 BF 19 95 DF 8D 52 46 43 F7

                                                DB 6D 48 0D 31 A4

                                Thumbprint:     F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D

                                Algorithm:      SHA1

                                Valid from:     6:00 PM 12/3/2003

                                Valid to:       5:59 PM 12/3/2013

                           thawte

                                Status:         Valid

                                Valid Usage:    Timestamp Signing

                                Serial Number:  00

                                Thumbprint:     BE36A4562FB2EE05DBB3D32323ADF445084ED656

                                Algorithm:      MD5

                                Valid from:     6:00 PM 12/31/1996

                                Valid to:       5:59 PM 12/31/2020

                        Publisher:      McAfee

                        Description:    Framework Service

                        Product:        McAfee Agent

                        Prod version:   n/a

                        File version:   4.5.0.1810

                        MachineType:    32-bit

                        Binary Version: 4.5.0.1810

                        Original Name:  Framework.exe

                        Internal Name:  Framework

                        Copyright:      Copyright⌐ 2000-2011 McAfee, Inc. All Rights Reserved.

                        Comments:       n/a

                        MD5:    062D80F13D762F7BC2F38430D60F5048

                        SHA1:   97D4997C3564A5307BAACD2C823A6445566096F8

                        PESHA1: 13B46305422302521248F1D6C3DC1A62EE67F9A1

                        SHA256: 214D5B01F4C8FFD34DF2E390B5F39E6B3140CF362756548E0AC05B50EDA99E6C

                 

                C:\utils\Sigcheck>

                 

                Unless I hear back from the originating source I will consider this issue closed.  Thanks for the assist.

                • 5. Re: How to determine if Frameworkservice.exe signature has changed
                  rmetzger

                  Hi ellisj1,

                  ellisj1 wrote:

                   

                  C:\utils\Sigcheck>SigCheck.exe -accepteula -a -h -i -q "%ProgramFiles%\Network A

                  ssociates\Common Framework\Frameworkservice.exe"

                  c:\program files\network associates\common framework\FrameworkService.exe:

                          Verified:       Signed

                          Catalog:        c:\program files\network associates\common framework\Fra

                  meworkService.exe

                          Signers:

                                  Status:         A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
                          Publisher:      McAfee

                          Description:    Framework Service

                          Product:        McAfee Agent

                          Prod version:   n/a

                          File version:   4.5.0.1810

                          MachineType:    32-bit

                          Binary Version: 4.5.0.1810

                          Original Name:  Framework.exe

                          Internal Name:  Framework

                          Copyright:      Copyright⌐ 2000-2011 McAfee, Inc. All Rights Reserved.

                          Comments:       n/a

                          MD5:    062D80F13D762F7BC2F38430D60F5048

                          SHA1:   97D4997C3564A5307BAACD2C823A6445566096F8

                          PESHA1: 13B46305422302521248F1D6C3DC1A62EE67F9A1

                          SHA256: 214D5B01F4C8FFD34DF2E390B5F39E6B3140CF362756548E0AC05B50EDA99E6C

                  Look pretty normal to me, especially since the Signature if Valid. I might be persuaded to update the agent to a newer version though. Use the hashes listed to compare them to other installs, just as a secondary check.

                   

                  I'm glad things are working. If you ever get any info from TripWire on this, please post it so we all can learn.

                   

                  Thanks,

                  Ron Metzger