Malicious Process Detection: Authenticode Microsoft Manufacturer

info Nessus Plugin ID 108411

Synopsis

Processes on the remote host contain Microsoft in the manufacturer name that do not have valid signatures.

Description

We were able to identify processes and modules running on the remote system that have 'Microsoft' as their registered Manufacturer and do not have valid authenticode signing. The majority of executables that come out of Microsoft are expected to have a valid signature and anything without a valid signature can be used to help narrow down potential threats. Some Microsoft executables slip through the cracks and make it out without being signed, so not all of the items reported here are malicious but it can assist in finding malicious executables.

Solution

This software should be investigated as it may be trying to appear as Microsoft software and may not be.

See Also

http://www.nessus.org/u?6a0123a1

http://www.nessus.org/u?c7777bf7

Plugin Details

Severity: Info

ID: 108411

File Name: wmi_malware_authenticode_manufacturer_microsoft.nbin

Version: 1.161

Type: local

Agent: windows

Family: Windows

Published: 3/19/2018

Updated: 11/22/2024

Supported Sensors: Nessus Agent, Nessus

Vulnerability Information

CPE: cpe:/o:microsoft:windows

Required KB Items: malscan/enabled