Menu
I have to buy a code-signing certificate, for signing Win32 applications, and I was considering whether to pick an EV one.
The advantages of EV certificates I was able to find are:
Immediate Smartscreen reputation establisment (instead of waiting for 3k downloads? [source] )
Maintainance of Smartscreen reputation across certificate renewals [source] (probably a moot point if point 1 applies anyway)
I wonder if they bring other advantages, for example if applications signed with them are more trusted than applications signed with non-EV certificates by antivirus, firewalls and other security applications (they get less blocked, provoke more favourable warnings, etc.).
I restate the case I'm most interested in: are you aware of differences in treatment by some specific antivirus/firewall/security application of applications signed with EV certificates, vs. applications signed with standard certificates?
846
The answer is code signing. To help users determine whether or not they can trust software before they install it, software publishers can digitally sign their code. A digital signature verifies who signed the code and that the code has not been subject to tampering.
What is EV Code Signing? EV Code Signing, short for Extended Validation Code Signing certificate, entails extensive vetting of the publisher. Additionally, in EV code signing certificates, the private keys are stored externally to prevent any unauthorized use.
EV certificates may only be issued to businesses and other registered organizations, not to individuals. An EV code signing certificate is required to sign Windows 10 drivers and provides an instant SmartScreen reputation boost. If you're not sure which code signing certificate you need, please read this FAQ.
The main purpose of code signing is to authenticate the author of the software, download or file. For example, a download file sent from Microsoft will appear to be much more trustworthy than a file from Joe Schmoe, and you are more likely to install it on your computer.
Disclosure: I work for an AV vendor.
I wonder if they bring other advantages, for example if applications signed with them are more trusted than applications signed with non-EV certificates by antivirus, firewalls and other security applications
This depends on the vendor making the security application, or their current(*) policy. Both security vendors I have worked for ignored the presence of the certificate when scanning for malware. There are several reasons for this:
Just because the code is signed doesn't mean it is not malicious. It only means it has not been modified after it has been signed. For example, a relatively large number of adware applications is signed.
Malware writes have used stolen certificates in past, and thus we cannot be truly sure it was used by the original author. This is why I mentioned "current policy" above, as this could change overnight.
Verifying a certificate is a complex and relatively slow process which requires reading the whole file from disk - an expensive operation for a non-SSD storage. It also requires performing some public key cryptography operations which are CPU-intensive. Thus for some large executable files checking the certificate might take longer than scanning the file for malware.
And since we generally don't look at certificate at all, it doesn't matter whether it is standard or EV.
183
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
