Re: Reputation?
> behind the scenes, there is a complex "application reputation feature" system
> (aka Windows SmartScreen Filter). IIRC, Microsoft introduced it nine years
> ago. Google introduced a similar system a few years later.
Ah, so this "reputation" is something Chrome has now, do you think
Google are linking in the data from www.virustotal.com as its part of
their portfolio into their reputation calculation on Chrome?
> Downloads are automatically assigned a reputation rating based on multiple
> algorithms that consider many objective criteria, such as anti-virus and
> anti-spyware results, download traffic, download history, and URL reputation.
> Application downloads without established reputation result in a warning
> that the file may be a risk to the computer.
Kaspersky AV has something similar, but when I looked at it and played
around, on the surface it just showed how many people were using said
program in different parts of the world and obviously whatever program
didnt have any known virus in it by virtue of it still be used.
It didnt seem that useful.
Obviously VirusTotal, SmartScreen or reputations calculated by AV
programs are still not reverse engineering files to decide if they are
malicious or not, because AV only searchs for a pattern which matches
known viruses, so its not perfect in that someone could still develop a
new virus or malicious code of sorts and like we saw with Stuxnet,
Kaspersky suggested it had been in the wild for at least 10 years.
Also WikiLeaks listed some programs which AV companies and others would
I hope consider to be malicious as well, when WL announced some of the
programs used by Govt depts like NSA/CIA.
eg https://wikileaks.org/vault7/#Angelfire
https://wikileaks.org/vault7/#Dumbo
https://wikileaks.org/vault7/#Brutal%20Kangaroo
and more...
> You can build a reputation "per-file" (Application Reputation is assigned by
> the hash of the downloaded file) or "per code-signing certificate".
> Code-signing certificates allow reputation to be assigned to a single
> identity ("per code-signing certificate") across multiple files. If you are
> not code-signing your programs, reputation will be built independently for
> each file you distribute. In contrast, code-signed programs may inherit the
> reputation of your digital certificate.
> Note: the problem with "per-file" reputation is that if you upload an update
> of your application, you have to build a new reputation - you have to start
> the reputation building process all over again.
> For new "standard" code-signing certificates, you have to build a reputation
> first:
> http://www.lindersoft.com/forums/showthread.php?47837
> EV Code-Signing Certificates (very expensive!) establish instant application
> reputation with SmartScreen:
> http://www.lindersoft.com/forums/showthread.php?47948
So an EV cert for least hassle especially if you want to produce off
the shelf software for many people, but also for bespoke systems if you
dont want to annoy the customer if the installation doesnt go smoothly.
Std Cert could cause some problems for some people when you least need
it, regardless of if its a bespoke system for one site or an off the
shelf system for many people anywhere in the world.
No Cert, good luck to anyone. You get what you pay for so to speak, but
you could make a few quid if you charge for support calls, which could
then be used to buy an EV cert and reduce that repetative behaviour.
<vbg>
I assume the code signing certs beit std or EV I buy can also be used
for web servers and email servers as well or would they be different
certs I would still need to buy?
Also I have to think, do I want all my eggs in one basket with a std or
EV cert than doesnt expire for at least 12months, ie one cert becomes a
high value target on my computer, even if I keep it in cold storage
like a USB stick when its not in use.
Decisions decisions.<g>
--
Richard
--
Richard
Reply With Quote