I’ve just been giving GlassWire a go, and am quite impressed by it. Great application and thanks for making this available for free for the moment at least.
I’ve been seeing some activity on my system that I can’t explain. There’s been quite a few instances of applications getting unsigned, and then being signed again followed by publisher name changes. Has anyone seen similar activity ? Any Windows experts around that have an explanation for this behaviour ?
Would you feel safe to post an example? Chrome auto-updates and so does Dropbox, so maybe it’s these? If so it’s normal. Could it be a Windows update during the night where your OS updated? It’s not unusual for me to see software version updates but I have never seen something completely unsigned then signed again. That’s strange.
Absolutely, here you go. I’ve noticed a few strange things here, and wanted to see if anyone else has picked up similar behaviour:
- Host process for windows services - signing/unsigning and changing publisher name almost daily
- Random numbered app - Cycling through publishers names of software that I do have installed. Glasswire tells me this is windows system.exe
- Chrome - Same behaviour as in #2, but performed by Chrome
All seems very strange. Anyway I can get some more verbose output from Glasswire to look into this ?
A quick google search says that system.exe is a virus/trojan. The reason I googled because I have never seen a system.exe file before, especially if its located in your Windows folder, not to mention its behavior is very odd. I suggest you upload the file somewhere like VirusTotal to give it a scan.
Thanks for your feedback all. I’ve spent a little bit of time on this over the weekend, including running every malware/AV I could get my hands on (nice tip on Herdprotect btw) but had nothing to come up. The previously mentioned system.exe file does not exist on my hdd, as I could not even find it when mounting the drive on Debian.
The other strange behaviour I’ve seen is shown in the new pictures added to the picture set of the link I sent previously - GlassWire starts off by reporting it as application ‘62’. Hovering over this only gives me a blank/unknown response. Once clicking on ‘Virus Scan’, the 64 turns into 4294967295 (the max value for a 32 bit unsigned int), and only then points to this system.exe file that does not exist.
The numbers make me think there may be a bug with GlassWire here as well, besides possibly having some unknown malware on my system. What are your thoughts ?
Please try completely uninstalling GlassWire and installing the new version we just released and let me know if it solves this problem https://www.glasswire.com/download/. I haven’t seen any other reports like this so far.
From what I understand from your previous posts, it does seem like what a malware would do. Googling a bit more, there are some reports that are more specific about it being a type of backdoor or keylogger. Since it does sound like the malware is unsigning apps to piggy back on it, then resigning it back so that the user can launch it without much suspicion. By latching on to other apps, it probably can be hard to detect. I assume that the malware file (system.exe?) appears temporarily because its unhooking from its previous app and moving on to the next app, disappearing after it is done.
You could try Zemana Antilogger, make sure you use the full version, not the freeware version, which works differently. There’s a full trial available, so that will do fine, we just want to check if anything is hooking onto your apps. If I’m not mistaken, Comodo Internet Security also has this integrated into it, but the last I use it, it tends to report everything and go crazy over me, so I got rid of it. Not sure what other software can do this.
This is just me theorizing wildly, so if it sounds wrong, or you know its wrong, please ignore me, and consult forums like at Malwarebytes. Even if I got it right, I still don’t know how to get rid of it.
Thanks for your response thewan. There’s actually no public research to show that apps can be unsigned - so if it really is malware, then it’s going to be an interesting hunt for me.
Having said that, I’ve now installed the latest GlassWire update and I havn’t seen any funny activity all day. I’ll let you know how it develops
I just had the same behavior while running Windows Update, svchost.exe appeared not signed and with an empty author field. Five minutes later it got back with the original author (it appears that there is no message for the reintroduction of a signature). The file version is exactly the same, but I guess that’s expected for most Windows Update binary patches.
I’d upload a screenshot but new users can’t.
tillo, what GlassWire version are you using? Go to the top left GlassWire menu and choose “About”. Thanks!
The svchost change is the only one that is back for me as well. I have not noticed that it coincides with Windows Update - but if it does, that sounds legit and surprises me that no one else here has seen that behaviour.
I’m running what should be the latest version of Glasswire - 1.0.25b
Thank you. We’ll try to recreate this problem and solve it. I haven’t seen this myself so far.
I also have the latest version, 1.0.25b. By the way, it happened again: this time during shutdown (signature and publisher missing) and startup (publisher reinstated). Now that I think about it, it happened during shutdown and startup even the first time, but that time I rebooted after updating the system, this time there was no update.
Checking in on this topic to see if any update. I have also observed this “no longer signed”, then publisher changed to empty value, then publisher value restore the next day (probably @ reboot). Happens to “System” that has “none” for Name, Path, Version, & Publisher values. Finally had some time to find this topic and hopefully get to the bottom of it. Have a screen shot if it will let me post picts now (NOPE).
Here you go,
I get this everytime I start my windows and/or after windows updates. I’ve reported it several times here since the initial version but it was never fixed.
Source : Host process for windows
I’m not sure exactly how the signing process works for Windows, but it would make sense to have system files unsigned before you can update them, and then signed again. There is no public domain information about there being any security issues with the DLL signing process in Windows, so I’m assuming this is standard Windows behaviour. Why this process would require the publisher name to be changed so frequently is strange however.
What does worry me though is that it appears that not everyone (including some Glasswire devs) see’s these alerts ? Can we get an update from Glasswire here - some technical details as to the bugs you fixed already would help as well please.
There is no signing during the update. Files are signed after compilation and before distribution by Microsoft and partners.
It could be, however, that the files are written in a way that makes them seen as unsigned while the writing has not finished.
For example the file description could be set on non-exclusive while writing and if the disk is slow enough GlassWire will read them as corrupted, or when a file is truncated for replacement the signature state within GlassWire is erased and gets back as soon as it reads the new file.
The possibilities are many, but only a developer with a deep knowledge of the libraries and code involved can solve or mitigate the bug.
We will try to recreate this bug again and solve it. I haven’t seen it anymore on any of my machines.
Thanks Anirudra_Diwakar, bjohnson, tillo & Servo_GlassWire!
I have read that sometimes installers/updaters will strip the signing certificates before deleting a file to reduce size, or something to that effect. My ignorance in this area is sensational.
The screen shot helped in two ways: it is exactly what I am seeing, and, I also had the same event happen yesterday. I didn’t see it until after I had run a boot-time scan initiated about the same time (which did flag some files, since quarantined or deleted). So I was concerned I was seeing some type of evasive action until I saw the screen shot.
I just checked and somehow, my Windows updates has been set to auto-everything. I have backed it off so I can control it and see what happens with the signing/publisher name, specifically during an update. A nagging worry is that Windows update shows the last update was installed two days ago. A subsequent boot-time scan revealed no issues and no flags in GlassWire. Sorry for long post.