grandeduc - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

How can enterprises defend against digitally signed malware?

Malicious software using legitimate digital certificates is reportedly on the rise. Expert Nick Lewis explains how to mitigate the risks of digitally signed malware.

Digitally signed malware is increasing, according to a new study from Kaspersky Lab. Are there any ways to detect and/or mitigate the risk of malicious files using legitimate digital certificates?

One of the most important steps of using software signed with digital certificates is checking to see if the signing certificate has been revoked. If any signing certificate -- especially a software signing certificate -- has been compromised, it should be immediately revoked.

It may also be in the software developer's best interest to be transparent; notify customers that the software signing certificate was revoked and explain how security was improved so this won't happen again. Customers that check certificate revocations may notice the certificate is revoked and then ask what happened, so preempting this confusion can demonstrate how committed a software developer is to security.

On the other hand, if the software developer hasn't identified a compromised certificate when notified by a customer, it should investigate immediately and revoke the certificate.

The threat of digitally signed malware is certainly extending to the enterprise. New research from Kaspersky Labs found digitally signed malware is a growing exponentially -- and enterprises had best be prepared for it.

Potentially the most effective step to mitigating the risk of digitally signed malware is to only allow approved executables to run on endpoint systems; this can be accomplished by whitelisting the approved executables. This would require significantly more effort for attackers to successfully compromise endpoints with signed malware.

Other steps enterprises can take include checking if software is signed by a certificate from a well-known and trusted authority, or even signed by an approved certificate authority. Enterprises may also want to inventory all files on a system and check each signed file to see who signed it to ensure it would meet the signing requirements for new files.

At a minimum, enterprises should enable endpoints to check for revocation for signed software.

Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Next Steps

Take a closer look at digital security certificate problems and how to mitigate them

Find out why fake SSL certificates enable variety of security threats

This was last published in October 2015

Dig Deeper on Malware, virus, Trojan and spyware protection and removal