At the point of file upload or download, network edge security policies peek under the hood of each file to examine its contents. The inner contents of each file should tell well-configured policies (and the security administrators who manage them) everything they need to know about a file’s trustworthiness prior to it entering a network.

Everyday files like .pdf, .xlsx, .jpg, etc. are typically identified as dangerous for carrying malformed content or insecure behaviors – or for matching a specific virus or malware signature referenced from a research database. These indicators have been established from years of research and sandboxing to understand common malicious behaviors.

In the case of executable file types like .exe or .dll – which are commonly used in commercial software, drivers, installers and updaters, and sometimes even enterprise-developed tools – there is a significant reliance instead on Authenticode signatures to verify content safety.

These signatures are put in place by file publishers to verify the authenticity, integrity, and safety of executable files designed for a specific purpose. This rigorous form of authentication exists because executable file types are inherently more insecure than other file types; it’s part of their intrinsic behavior to directly execute code and make changes to a system.

What does Authenticode Signing Mean for an Executable File?

Authenticode was created by Microsoft specifically to address the critical need for trust and security in executable software distribution.

Authenticode signatures tell us who published executable files for a given software package, and improper signatures tell us whether those files have been tampered with at all. Authenticode uses digital signatures and public key cryptography to give assurances to users about the authenticity and integrity of a program.

Operating systems (particularly Windows) use these executable signatures to display publisher details about executable files and enforce policies like SmartScreen warnings (alerts designed to protect users from potentially malicious or unrecognized software and websites).

Why is it Important to Know Whether an Executable File is Authenticode Signed?

Any application or network handling .exe and/or .dll file uploads or downloads should have a mechanism for identifying valid Authenticode signatures. This is the simplest way to verify that executable content hasn’t been tampered with prior to entering a network.

Identifying Authenticode signatures chiefly help security tools and their administrators to decide whether to trust the software they’re receiving.

In many cases, internal enterprise security controls won’t allow unsigned .exe or .dll execution to begin with; rooting out unsigned content at the network edge can also serve the practice purpose of reducing internal warnings about executable content.

Authenticode Detection with Cloudmersive

Cloudmersive’s Advanced Virus Scan API identifies whether executable file types are Authenticode signed as part of its deep content inspection. The API surfaces signature details in the IsAuthenticodeSigned flag found within the ContentInformation object of the response:

 "ContentInformation": {
    "ContainsJSON": true,
    "ContainsXML": true,
    "ContainsImage": true,
    "RelevantSubfileName": "string",
    "IsAuthenticodeSigned": true
  }

This feature allows security systems to automatically flag unsigned files and enforce policy-based execution rules. This defends systems against executables which may have been tampered with prior to upload or download, providing an extra layer of defense against malicious payloads.

The Advanced Scan API can be integrated directly with individual web applications or deployed strategically at network chokepoints. These include forward proxies, reverse proxies, web application firewalls (WAFs), ICAP servers, and proxies adjacent to AWS, Azure, or GCP object storage containers for in-storage scanning.

Final Thoughts

Authenticode signatures prove that executable file types like .exe and .dll are unchanged from the version released by the file publisher. Detecting Authenticode is a critical part of defending any application or system against executable files that have been tampered with by bad actors.

To learn more about Authenticode signature detection with Cloudmersive, please feel free to contact a member of our team.