I downloaded & installed avast free using installer from avast.com, but the sha1 certificate was out of date by approx 1 month. however the sha256 certificate was valid. (both certs were signed in july)
I downloaded & installed avast free on 2nd laptop. this time installer file had 2 valid certs, and both signed in november.
Have I used a malicious installer on first laptop ?
If yes, what do i need to do to make sure laptop is not compromised with malware ?
from memory, I downloaded it from bits.avcdn.net. possibly en-ww location ?
The file was avast_free_antivirus_setup_online.exe (i think, i’ll check on the laptop)
How do I test the file at VT ?
(do i need to upload it somehow ?)
thanks for looking into this for me,
however, I have a few questions to put my mind at rest;
on the file I submitted to VT the last submission date is 2019-11-06 01:45:13
where as I submitted it on 15th Nov !
(or tried to !)
So has VT analysed the file stored on my drive ?
(or is looking at an earlier submission by someone else ?)
(I uploaded a different file and the last submission date was correct !)
I noticed some differences between the files I checked;
under relations it had 1 execution parent on the suspect file,
and under behaviour processes tree it had 3004 - factura.exe
thanks for VT support link, lots of useful info, but didn’t answer my questions !
the last submission date is still a puzzle !
I compared the details/behaviour with another avast installer downloaded using edge, hence my earlier qu’s.
I also noticed some different calls, specifically; IsDebuggerPresent and searching found the following description;
IsDebuggerPresent is a function available in the kernel32.dll library. This function is often used in malwares to complexify the reverse engineering because it will take different paths in the program’s flow when the malware is analyzed in a user-mode debugger such as OllyDbg
I appreciate no engines detected the file as malicious, however, as the certificate was out of date, how sure are you, that the file hasn’t been modified/tampered with ?
thanks for reply, however, i read recently that once a certificate is out of it’s validity period, it will be removed from any revokation list to save the list getting too long.
This means you wouldn’t know if the certificate had been revoked !
also, I have tried uploading the suspect installer several times, but the last submission date hasn’t changed from 2019-11-06 . (I tried again just now, but the date is still the same !)
I wonder if something is blocking the upload ?
(I managed to upload a different file ok & last date was correct !)
Another question; why does Avast allow a certificate to expire ?
surely this isn’t good from a security point of view !
The link Asyn posed in #5 shows its submission date as 2019-11-22 for me?
I’m not quite sure but it is possible that Virustotal has some flood-prevention systems.
Another question; why does Avast allow a certificate to expire ?
As you see, Avast has new certificate that can sign executable in November.
For old installers, it is unavoidable since certificates can only be renewed (not extended) and of course time passed ;)
thanks for reply,
2019-11-22 is the review date which matches the analysis date under details/history.
last submission date is still 2019-11-06. So, you could be right, that VT doesn’t update every time.
your explanation of the certificate issue makes sense. (I was offered an old installer.)
qu; why does the file have 2 certificates though ?
and how can I get the latest installer ?
I seem to get a different file depending on which browser I use and which laptop !
Can you choose location or server ?
also the sha1 certificate is out of date. the sha256 is valid.
I also ran VT on url wireshark.org and 1 engine CRDF flagged the site as malicious !
how do I interprit this i.e. is it a safe site ?
(3 months previous it was clean I think )
again ran VT on www.malwarebytes.com and 1 engine Quttera flagged as malicious.
when I clicked malwarebytes link VT gave more details including 10 urls detected under domain.