Unsigned Glassware Control Service

Hi I am writing in because I have been experiencing by far one of the worst attacks on a network and I have been using GlassWire among other things to combat it. I stumbled across a bug bounty that led me here and so I figured I would see if it was indeed a bug or a false positive. GlassWire it’s self is in my opinion not protected (perhaps on purpose) as highly as some anti virus software out there. I am not saying it is a bad thing, but when your system is compromised then it becomes a very bad thing. I noticed that out of no where the service became an on-going task and would start with GlassWire. VT gave it a score of 1/72 and here’s the Bounty/Report:

https://www.virustotal.com/gui/collection/3b66538f970fdd365f05f865641cd4b1b38d013b07e86d47e0ef680fbfbdeb0e

Here is my report on Virus Total.

c:\program files (x86)\glasswire\gwctlsrv.exe
C:\Program Files (x86)\GlassWire\GWCtlSrv.exe refers to the GlassWire Control Service, which is a crucial component of the GlassWire network security software.
Here’s a breakdown of its purpose and functions:
Core Functionality: It’s the backend service that does the heavy lifting for GlassWire, handling firewall operations, network activity monitoring, and data collection.
Data Processing: It collects and processes network information, which the GlassWire user interface (Glasswire.exe) then uses to display network activity, alerts, and statistics.
Firewall Management: The GlassWire Control Service works with the Windows Firewall API to apply firewall rules and manage network connections.
Communication with UI: It communicates locally with the GlassWire user interface (UI) to provide information and implement user actions, such as blocking applications.
Updates and Suspicious Host List: The service also checks for software updates and updates its list of suspicious hosts.
Essentially, GWCtlSrv.exe is the engine that powers GlassWire’s network monitoring and security features.
Important Note: Although some users have reported antivirus software flagging GWCtlSrv.exe as potentially malicious, these are generally considered false positives. If you obtained your GlassWire software from the official GlassWire website, the GWCtlSrv.exe file is legitimate and safe. GlassWire has even stated that they would pay $10,000 USD to anyone who reports a real Trojan in their official software.
If you are experiencing issues with the GlassWire Control Service, such as high CPU usage or crashes, you can refer to the GlassWire forums or GlassWire user guide for troubleshooting tips.
AI responses may include mistakes. Learn more

GlassWire is not anti virus software and the background service is signed.

GWCtlSrv834×577 22.1 KB

@AyoYayo, really not sure why you have posted this. If you are comparing GlassWire to Antivirus software, then they are not the same and operate in different domains of a security model. If it is a gripe about whether GlassWire takes measures similar to Antivirus software to protect its executables (from alteration, uninstallation, disabling etc.), then again you need to remember these softwares are not doing the same thing. To make such an argument would be like saying that every bit of software you download and install on your machine must take the same measure to prevent uninstallation, disablement, alteration.

The GWCtlSrv.exe is a signed executable as @ittroll has already commented, so there is that at least.

My big gripe is of anyone in the security profession these days that thinks using anything signed by Sectigo (um, you remember Comodo) could actually be trusted is sadly lacking in judgment. Do some basic research on this company and you’ll soon learn just how poor their security practices have been. The fact that they think creating a new company called Sectigo would supposedly wash away all their sins, and everyone would forget was and is a joke. We don’t forget, but others sure still need reminding.

Shame on Domotz Inc. for supporting a company by using code signing certificates issued by these melonheads. So while the OP may have been slightly misplaced in their concerns, it certainly served to expose just how little GlassWire takes their security and that of their customers seriously. Quite frankly you can’t trust the executable because it is signed by Sectigo a company that has fragrantly disregarded the most basic security practices required of being a CA and has, as is well published, been so badly compromised in the past with the issuing a fraudulent certificates, that you could never trust this company again.

No doubt Domotz has gone for the cheapest option, and as the age old saying goes, “You get what you pay for”, and in this case it ain’t much.