Malware Scan is a new service offered by SSL.com to software developers utilizing code signing certificates to assure that code is free of malware before being signed.
Benefits of Malware Scan
Malware Scan adds an extra layer of defense to code signing certificates. If malware is detected in the code, the signing is immediately prevented from being accomplished and the user is informed so that preventive action can be taken. Software developers, publishers, and distributors can now incorporate automated malware and code signing into the CI/CD environments. Despite code signing being automated in some form, the protection of private keys and signing certificates is usually done manually, putting these at risk of being stolen. Once ransomware gangs and other malicious actors are able to hack into the production environment of a software publishing company, they can secretly inject malware in the build process and cause disastrous consequences. This is what Malware Scan prevents.
How to use Malware Scan
Enabling the Malware Scan service on your SSL.com account is a first step before being able to use the service on eSigner Express, eSigner CodeSignTool, eSigner APi, or eSigner CKA.
-
- Scroll down to the SIGNING CREDENTIALS section and locate the part showing your eSigner certificate credentials. Make sure that the radio buttons that say signing credential enabled and malware blocker enabled are chosen. These will allow you to use the Malware Scan service on each of the eSigner toolkit.
- Scroll down to the SIGNING CREDENTIALS section and locate the part showing your eSigner certificate credentials. Make sure that the radio buttons that say signing credential enabled and malware blocker enabled are chosen. These will allow you to use the Malware Scan service on each of the eSigner toolkit.
- Scroll down to the SIGNING CREDENTIALS section and locate the part showing your eSigner certificate credentials. Make sure that the radio buttons that say signing credential enabled and malware blocker enabled are chosen. These will allow you to use the Malware Scan service on each of the eSigner toolkit.
Using Malware Scan on eSigner Express
- Upload your file to eSigner Express.
- After uploading, you will be prompted for the two-factor authentication code.
- If the file you uploaded contains malicious code, eSigner Express will flash this warning and prevent the signing: hash that needs to sign is a malware object hash
- If you disable Malware Scan on your order page, eSigner Express will immediately warn you.
Using Malware Scan on CodeSignTool
- Enable Malware Scan on your order page.
- Enter the Sign command on CodeSignTool. For more information on CodeSignTool commands, please refer to our article: eSigner CodeSignTool Command Guide.
- If the code you are attempting to sign on CodeSignTool is infected with malware, the signing will fail and you will get the warning, Error: hash that needs to sign is a malware object hash
Using Malware Scan on eSigner API
In this demo, Postman was used to call eSigner API.
- Enable Malware Scan on your SSL.com order page. Postman’s Scan Settings will then show “malware_scan_enabled”: true.
- If the file you uploaded to Postman contains malware, the signing process will halt and you will be promptly warned.
Using Malware Scan on eSigner Cloud Key Adapter (CKA)
- Click the malware blocker enabled radio button on your SSL.com order page.
- Install eSigner Cloud Key Adapter.
- Install eSigner CodeSignTool.
- Scan the code on CodeSignTool using the following command: scan_code [-hV] -input_file_path=<inputFilePath> -password=<PASSWORD> [-program_name=<programName>] -username=<USERNAME>
- Use SignTool to sign the code with eSigner CKA using the following command: "SignTool File path" sign /fd sha256 /trhttp://ts.ssl.com/td sha256 /sha1 certificate thumbprint "inputFilePath"
Parameters:
- -input_file_path=<PATH>: Path of code object to be signed.
- -username=<USERNAME>: SSL.com account username
- -password=<PASSWORD>: SSL.com account password.
- -program_name=<PROGRAM_NAME>: Name of program
- -credential_id=<CREDENTIAL_ID>: Credential ID for signing certificate. Your eSigner Credential ID is located in the same section of your SSL.com certificate order page where the radio buttons for Malware Scan are also enabled.
- SignTool File path: installation file path for SignTool
How to Disable Malware Scan
Note: Due to how msix files are compiled, at this time you will need to disable malware scanning. SSL.com is working to integrate Malware Scan for .MSIX files and will provide an update once this feature becomes available.
To disable the Malware Scan service, refer to the following instructions.
- Login to your SSL.com account. Click Orders from the top menu. Locate your order from the list displayed then click the download link to display your certificate details. Click the arrow or the Show Details link for the SIGNING CREDENTIALS section.
- Click the radio button for malware blocker disabled.
- You can now proceed to sign your file/s without undergoing malware scan.