1. Field of the Invention
This invention pertains in general to computer security and in particular to providing security in environments having digitally-signed files.
2. Description of the Related Art
There is a wide variety of malicious software (malware) that can attack modern computers. Malware threats include computer viruses, worms, Trojan horse programs, spyware, adware and crimeware. Modern malware is often designed to provide financial gain to the attacker. For example, malware can surreptitiously capture important information such as logins, passwords, bank account identifiers, and credit card numbers. Similarly, malware can provide hidden interfaces that allow the attacker to access and control the compromised computer.
Attackers often camouflage malware by making the malware appear to be legitimate. Security software often implicitly trusts digitally-signed software. The signature identifies the entity that created the software and proves that the file containing the software has not been modified since signing. Therefore, the security software assumes that signed software does not contain malware and gives the software a low level of scrutiny. Attackers can obtain signing certificates through fraud or theft and use the certificates to sign files containing malware, thereby defeating the security software.
A certificate authority can revoke a certificate that is misused to sign malware. When notified of a revoked certificate, security vendors must decide how to evaluate software signed using the certificate. One possible technique is to no longer trust any files signed with the revoked certificate. However, this technique can result in false positive malware detections since legitimate files signed using the certificate might be detected as malware once the certificate trust is negated. Another possible technique is to continue to trust files signed with the revoked certificate. This second technique, however, can result in false negative malware detections since malware signed using the certificate will be trusted. Thus, there is a need for a way to handle revoked certificates that does not suffer from these drawbacks.