How to Use Pre-Signing Malware Scan with SSL.com eSigner

What is SSL.com Malware Scan?

Malware Scan is a new service offered by SSL.com to software developers utilizing code signing certificates to assure that code is free of malware before being signed. 

Benefits of Malware Scan

Malware Scan adds an extra layer of defense to code signing certificates. If malware is detected in the code, the signing is immediately prevented from being accomplished and the user is informed so that preventive action can be taken.  Software developers, publishers, and distributors can now incorporate automated malware and code signing into the CI/CD environments. Despite code signing being automated in some form, the protection of private keys and signing certificates is usually done manually,  putting these at risk of being stolen. Once ransomware gangs and other malicious actors are able to hack into the production environment of a software publishing company, they can secretly inject malware in the build process and cause disastrous consequences. This is what Malware Scan prevents. 

SSL.com’s EV Code Signing certificates help protect your code from unauthorized tampering and compromise with the highest level of validation, and are available for as little as $249 per year. You can also use your EV Code Signing certificate at scale in the cloud using eSigner.

ORDER NOW

eSigner Cloud Code Signing

To be able to use the Malware Scan service, SSL.com customers first need to purchase an EV code signing certificate and enroll it to our eSigner cloud code signing service once the cert is issued. eSigner enables software developers to conveniently sign and timestamp their code on the cloud, with no need for USB tokens, HSMs, or other special hardware.  By storing the EV code signing certificate on the cloud, eSigner enables software engineers to securely sign their code without having to worry about losing a USB token, having their code signing certificates stolen by hackers, or accidentally deleting a pfx file.  The main benefits of eSigner-based code signing + Malware Scan are explained below:
  • Software engineers working in teams can be sure that the software pieces they are passing to each other are completely free of malware
  • If the production environment gets injected with malware, Malware Scan adds an additional layer of defense by recognizing the threat, prompting engineers to secure their build pipeline and prevent further attacks. 
  • Software publishers and distributors can be sure that the final software products they are selling to customers are genuine and fully-functional, including those of installers, and software updates.   

How to use Malware Scan

Enabling Malware Scan on your SSL.com Account

Enabling the Malware Scan service on your SSL.com account is a first step before being able to use the service on eSigner Express, eSigner CodeSignTool, eSigner APi, or eSigner CKA.
    1. Scroll down to the SIGNING CREDENTIALS section and locate the part showing your eSigner certificate credentials. Make sure that the radio buttons that say signing credential enabled and malware blocker enabled are chosen. These will allow you to use the Malware Scan service on each of the eSigner toolkit.
    2. Scroll down to the SIGNING CREDENTIALS section and locate the part showing your eSigner certificate credentials. Make sure that the radio buttons that say signing credential enabled and malware blocker enabled are chosen. These will allow you to use the Malware Scan service on each of the eSigner toolkit On the other hand, if you click the radio button for malware blocker disabled, you will be able to sign your code without using the Malware Scan service.

Using Malware Scan on eSigner Express

  1. Upload your file to eSigner Express.
  2. After uploading, you will be prompted for the two-factor authentication code.
  3. If the file you uploaded contains malicious code, eSigner Express will flash this warning and prevent the signing: hash that needs to sign is a malware object hash
  4. If you disable Malware Scan on your order page, eSigner Express will immediately warn you.

Using Malware Scan on CodeSignTool

  1. Enable Malware Scan on your order page.
  2. Enter the Sign command on CodeSignTool. For more information on CodeSignTool commands, please refer to our article: eSigner CodeSignTool Command Guide.
  3. If the code you are attempting to sign on CodeSignTool is infected with malware, the signing will fail and you will get the warning, Error: hash that needs to sign is a malware object hash

Using Malware Scan on eSigner API

In this demo, Postman was used to call eSigner API.
  1. Enable Malware Scan on your SSL.com order page. Postman’s Scan Settings will then show “malware_scan_enabled”: true.
  2. If the file you uploaded to Postman contains malware, the signing process will halt and you will be promptly warned.

Using Malware Scan on eSigner Cloud Key Adapter (CKA)

  1. Click the malware blocker enabled radio button on your SSL.com order page.
  2. Install eSigner Cloud Key Adapter
  3. Install eSigner CodeSignTool.
  4. Scan the code on CodeSignTool using the following command: scan_code [-hV] -input_file_path=<inputFilePath> -password=<PASSWORD> [-program_name=<programName>] -username=<USERNAME>
  5. Use SignTool to sign the code with eSigner CKA using the following command: "SignTool File path" sign /fd sha256 /tr http://ts.ssl.com /td sha256 /sha1 certificate thumbprint "inputFilePath"

Parameters:

  • -input_file_path=<PATH>: Path of code object to be signed.
  • -username=<USERNAME>: SSL.com account username
  • -password=<PASSWORD>: SSL.com account password.
  • -program_name=<PROGRAM_NAME>: Name of program
  • -credential_id=<CREDENTIAL_ID>: Credential ID for signing certificate. Your eSigner Credential ID is located in the same section of your SSL.com certificate order page where the radio buttons for Malware Scan are also enabled.
  • SignTool File path: installation file path for SignTool

SSL.com’s EV Code Signing certificates help protect your code from unauthorized tampering and compromise with the highest level of validation, and are available for as little as $249 per year. You can also use your EV Code Signing certificate at scale in the cloud using eSigner.

ORDER NOW

How to Disable Malware Scan

Due to how msix files are compiled, at this time you will need to disable malware scanning. SSL.com is working to integrate Malware Scan for .MSIX files and will provide an update once this feature becomes available.
To disable the Malware Scan service, refer to the following instructions.
  1. Login to your SSL.com account. Click Orders from the top menu. Locate your order from the list displayed then click the download link to display your certificate details. Click the arrow or the Show Details link for the SIGNING CREDENTIALS section.
  2. Click the radio button for malware blocker disabled

  3. You can now proceed to sign your file/s without undergoing malware scan.
Thank you for choosing SSL.com! If you have any questions, please contact us by email at Support@SSL.com, call 1-877-SSL-SECURE, or just click the chat link at the bottom right of this page. You can also find answers to many common support questions in our knowledgebase.
Twitter
Facebook
LinkedIn
Reddit
Email

Stay Informed and Secure

SSL.com is a global leader in cybersecurity, PKI and digital certificates. Sign up to receive the latest industry news, tips, and product announcements from SSL.com.

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.