MDAC and Signers

Signers are the identities of the certificates used by Microsoft Defender Application Control (MDAC) to allow or deny a signed file to run. If you open a policy XML file, you will see the list of signers. It is interesting that many of the files allowed to run by this method are not, in fact, signed. This post explains how this works.

Here is an example of a signer obtained by scanning a drive at Publisher level, with New-CIPolicy -FilePath [path to policy file] –Level Publisher –UserPEs – NoShadowCopy. The scan produces an XML file containing the signers, and a TMP file containing a list of the unsigned files.

   <Signers>
     <Signer ID="ID_SIGNER_S_1" Name="Microsoft Windows Production PCA 2011">
       <CertRoot Type="TBS" Value="4E80BE107C860DE896384B3EFF50504DC2D76AC7151DF3102A4450637A032146" />
       <CertPublisher Value="Microsoft Windows" />
     </Signer>
     <Signer ID="ID_SIGNER_S_3A" Name="Microsoft Windows Production PCA 2011">
       <CertRoot Type="TBS" Value="4E80BE107C860DE896384B3EFF50504DC2D76AC7151DF3102A4450637A032146" />
       <CertPublisher Value="Microsoft Windows" />
     </Signer>

You can take a look at the TMP file after the scan to see what the impact of the policy will be.

For some files, like chrome.exe, the presence of a signature is obvious.

Google Chrome Digital Signature

But a file like notepad.exe also runs, and it does not appear to have a signature.

Notepad No Digital Signature

In fact, that seems to be true of most of the files in C:\Windows and C:\Windows\system32. They don’t appear to be signed, and yet they run with only a Signers policy. But 7-Zip is also not signed, and it does NOT run.

7-Zip No Digital Signature

The reason is that the Windows files are part of a signed catalog. The catalog contains hashes of the files, and the catalog is signed. MDAC uses the certificate that signed the catalog to allow notepad.exe to run. The process is explained here: Deploy catalog files to support Windows Defender Application Control.

There’s nothing to tell us directly why notepad.exe is allowed. But the Sigcheck utility from Sysinternals shows why. It shows that notepad.exe is part of a signed catalog (in this case) C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_1255_for_KB4523205~31bf3856ad364e35~amd64~~10.0.1.10.cat. The command to do this is: sigcheck.exe -i notepad.exe and the output is below.

C:\WINDOWS\system32\notepad.exe:
     Verified:   Signed
     Link date:  04:52 26/11/1996
     Signing date:   19:20 08/11/2019
     Catalog:    C:\WINDOWS\system32\CatRoot{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_1255_for_KB4523205~31bf3856ad364e35~amd64~~10.0.1.10.cat
     Signers:
        Microsoft Windows
         Cert Status:    Valid
         Valid Usage:    NT5 Crypto, Code Signing
         Cert Issuer:    Microsoft Windows Production PCA 2011
         Serial Number:  33 00 00 02 32 41 FB 59 99 6D CC 4D FF 00 00 00 00 02 32
         Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
         Algorithm:  sha256RSA
         Valid from: 21:24 02/05/2019
         Valid to:   21:24 02/05/2020
        Microsoft Windows Production PCA 2011
         Cert Status:    Valid
         Valid Usage:    All
         Cert Issuer:    Microsoft Root Certificate Authority 2010
         Serial Number:  61 07 76 56 00 00 00 00 00 08
         Thumbprint: 580A6F4CC4E4B669B9EBDC1B2B3E087B80D0678D
         Algorithm:  sha256RSA
         Valid from: 18:41 19/10/2011
         Valid to:   18:51 19/10/2026
        Microsoft Root Certificate Authority 2010
         Cert Status:    Valid
         Valid Usage:    All
         Cert Issuer:    Microsoft Root Certificate Authority 2010
         Serial Number:  28 CC 3A 25 BF BA 44 AC 44 9A 9B 58 6B 43 39 AA
         Thumbprint: 3B1EFD3A66EA28B16697394703A72CA340A05BD5
         Algorithm:  sha256RSA
         Valid from: 21:57 23/06/2010
         Valid to:   22:04 23/06/2035
     Counter Signers:
        Microsoft Time-Stamp Service
         Cert Status:    Valid
         Valid Usage:    Timestamp Signing
         Cert Issuer:    Microsoft Time-Stamp PCA 2010
         Serial Number:  33 00 00 01 13 B3 70 87 3D FA F0 C8 24 00 00 00 00 01 13
         Thumbprint: 3D57569160D39D8863D2983809B2130A97B8EE95
         Algorithm:  sha256RSA
         Valid from: 23:19 23/10/2019
         Valid to:   23:19 21/01/2021
        Microsoft Time-Stamp PCA 2010
         Cert Status:    Valid
         Valid Usage:    All
         Cert Issuer:    Microsoft Root Certificate Authority 2010
         Serial Number:  61 09 81 2A 00 00 00 00 00 02
         Thumbprint: 2AA752FE64C49ABE82913C463529CF10FF2F04EE
         Algorithm:  sha256RSA
         Valid from: 21:36 01/07/2010
         Valid to:   21:46 01/07/2025
        Microsoft Root Certificate Authority 2010
         Cert Status:    Valid
         Valid Usage:    All
         Cert Issuer:    Microsoft Root Certificate Authority 2010
         Serial Number:  28 CC 3A 25 BF BA 44 AC 44 9A 9B 58 6B 43 39 AA
         Thumbprint: 3B1EFD3A66EA28B16697394703A72CA340A05BD5
         Algorithm:  sha256RSA
         Valid from: 21:57 23/06/2010
         Valid to:   22:04 23/06/2035
     Company:    Microsoft Corporation
     Description:    Notepad
     Product:    Microsoft® Windows® Operating System
     Prod version:   10.0.17763.475
     File version:   10.0.17763.475 (WinBuild.160101.0800)
     MachineType:    64-bit

We can see the digital signature in the properties of the catalog file itself.

Catalog File Digital Signature

However, Sigcheck shows that 7zFM.exe is NOT signed, so we will not be able to use a signer to allow it to run.

c:\program files\7-zip\7zFM.exe:
     Verified:   Unsigned
     Link date:  16:00 21/02/2019
     Publisher:  n/a
     Company:    Igor Pavlov
     Description:    7-Zip File Manager
     Product:    7-Zip
     Prod version:   19.00
     File version:   19.00
     MachineType:    64-bit

Sigcheck can also be used to scan a folder to find unsigned executable files: sigcheck.exe -u -s -e [folder to check]. This will tell you whether scanning for certificates will be enough to allow an application to run.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.