Applications no longer signed, and publisher name changes

I wonder if a uninstall, reboot, then reinstall would fix this problem? Maybe some of the users have older drivers that didn’t update on reboot somehow? We aren’t seeing this on our machines.

Ken_GlassWire , I uninstalled, rebooted and then reinstalled. The alerts are still there.

@Servo_GlassWire
So, anyways, I tried to conduct an experiment.
I created a program to monitor the svchost.exe’s digital signature in real-time using the sigcheck tool and some old school batch files. I created a logger, which would monitor the digital signatures as the Windows Updates were starting.

Started the logging and windows updates, the Alerts on Glasswire popped up at 6:52:01 as shown in the screenshot.

Now, to my surprise, the output of digital signatures logged during that time is as follows


06:51 PM

Sigcheck v2.1 - File version and signature viewer
Copyright © 2004-2014 Mark Russinovich
Sysinternals - www.sysinternals.com

c:\windows\system32\svchost.exe:
Verified: Signed
Signing date: 3:53 AM 02-Mar-11
Publisher: Microsoft Windows
Description: Host Process for Windows Services
Product: Microsoft® Windows® Operating System
Prod version: 6.1.7600.16385
File version: 6.1.7600.16385 (win7_rtm.090713-1255)
MachineType: 32-bit


06:51 PM

Sigcheck v2.1 - File version and signature viewer
Copyright © 2004-2014 Mark Russinovich
Sysinternals - www.sysinternals.com

c:\windows\system32\svchost.exe:
Verified: Unsigned
Link date: 10:15 AM 01-Mar-11
Publisher: Microsoft Corporation
Description: Host Process for Windows Services
Product: Microsoft® Windows® Operating System
Prod version: 6.1.7600.16385
File version: 6.1.7600.16385 (win7_rtm.090713-1255)
MachineType: 32-bit


06:51 PM

Sigcheck v2.1 - File version and signature viewer
Copyright © 2004-2014 Mark Russinovich
Sysinternals - www.sysinternals.com

c:\windows\system32\svchost.exe:
Verified: Unsigned
Link date: 10:15 AM 01-Mar-11
Publisher: Microsoft Corporation
Description: Host Process for Windows Services
Product: Microsoft® Windows® Operating System
Prod version: 6.1.7600.16385
File version: 6.1.7600.16385 (win7_rtm.090713-1255)
MachineType: 32-bit


06:51 PM

Sigcheck v2.1 - File version and signature viewer
Copyright © 2004-2014 Mark Russinovich
Sysinternals - www.sysinternals.com

c:\windows\system32\svchost.exe:
Verified: Signed
Signing date: 3:53 AM 02-Mar-11
Publisher: Microsoft Windows
Description: Host Process for Windows Services
Product: Microsoft® Windows® Operating System
Prod version: 6.1.7600.16385
File version: 6.1.7600.16385 (win7_rtm.090713-1255)
MachineType: 32-bit


06:52 PM

Sigcheck v2.1 - File version and signature viewer
Copyright © 2004-2014 Mark Russinovich
Sysinternals - www.sysinternals.com

c:\windows\system32\svchost.exe:
Verified: Signed
Signing date: 3:53 AM 02-Mar-11
Publisher: Microsoft Windows
Description: Host Process for Windows Services
Product: Microsoft® Windows® Operating System
Prod version: 6.1.7600.16385
File version: 6.1.7600.16385 (win7_rtm.090713-1255)
MachineType: 32-bit

I modified the sigcheck tool by SysInternals to monitor this in real-time during the updates. http://technet.microsoft.com/en-in/sysinternals/bb897441.aspx

So, I hereby conclude, the svchost.exe is stripped off the Digital Signatures during Windows Updates. It’s normal behavior and not a bug of Glasswire.

Notice the publisher name change from Microsoft Windows during signed state to Microsoft Corporation during unsigned state (and back to MS Windows when signed again), which explains the publisher name change alert.

Nice work. Still doesn’t explain why some people don’t see it, and the dev’s are not able to reproduce it. Could you make your modified version of sigcheck available for them so they can replicate what you’ve done please ?

1 Like

I’d be happy to help, but it’ll be no use for them unless they find a way to trigger the alerts in the first place. This tool merely verifies what glasswire already told us.

I’m still not sure why only some people are experiencing this and some are not. Could it be possible that this is limited to 32-bit users (or maybe only on windows 7) ? Is anyone on 64-bit OS getting this ?

They’d have to trigger Windows updates while running sigcheck, shouldn’t be an issue at all really.

I’m running on Win7/64

Glasswire, can we get an update from you on this please ?

We haven’t seen this on our machines for some reason and we have a pretty diverse group. I will see if we can request some logs or something else on our end.

I’m also seeing this error, and got it this am
I’m running ver: 1.0.38b.
I have windows 7, 64 Bit

1 Like

I’m on Win7 x64 and experience the same issue (as a new user I’m unable to post a screenshot).

Are you sure this is normal behavior? To me it sounds rather suspicious (not to mention that devs are unable to reproduce it). Imagine what if some code was injected into svchost.exe during that “unsigned state”? I would call it far from normal bevahior - otherwise it would pose a security risk. If this issue isn’t some side effect as tillo explains, then it should be investigated further as possible malware (rootkit) behavior.

2 Likes

Hi all.
Please find here a snapshot of what just registered with glasswire log concerning changes in vschost
http://postimg.org/image/upyxpkl5d/

I noticed too that it happens just before an update, anyway can’t explain why sometimes everything seems to return signed just after the updates then sometimes just the following day or in some cases few days after.

I can’t believe this could be considered as a normal behaviour.

Version of Glasswire was the previous one (1.06 ?) now I have just installed 1.1.7b , OS WIN7 64, let’s see if trouble will emerge again

well i am using it
and i don’t have any problem with APPLICATION INFO CHANGED
so i think they must have patched it

Any update on this issue? I just upgraded glasswire from 1.0.x to 1.1.32b but still getting the same alerts. I’m on Windows 7 64-bit. Please see the screenshot below. Thanks!

Could you try uploading the file to VirusTotal.com and see if anything appears? If not could you uninstall GlassWire and delete its GlassWire folder in “ProgramData” and then reboot, then reinstall again and check it?

Thank you Ken!
I follow your instructions (as below) and those alerts haven’t come again so far.

  1. uninstall Glasswire and delete its GlassWire folder in “ProgramData”
  2. reboot the computer
  3. install the latest version of Glasswire

I noticed the same behaviour on svchost.exe changing from signed/unsigned and from publisher microsoft to empty and back again. I will look into it when I have some time. I was installing Visual Studio 2017 when I noticed it. I will look through the logfiles and see if there was a update running at the same time it changes. I saw several entries that svchost changed at different times, my glasswire version is 1.2.109 free version.

nizchka

1 Like