I am requesting that all implicit trust (Norton reputation and otherwise) be revoked for this code signing certificate (attached), which was used to sign malware:
Thumbprint
F4BDA9EFA31EF4A8FA3B6BB0BE13862D7B8ED9B0
Serial Number
4B48B27C8224FE37B17A6A2ED7A81C9F
CN = Piriform Ltd
O = Piriform Ltd
L = London
S = London
C = GB
Now that piriform has moved to a new certificate it would be a good time remove any implicit trust (Norton reputation, etc..) for this code signing certificate (formerly attached to post #2), which was used to sign malware.
Thumbprint (SHA1)
F4BDA9EFA31EF4A8FA3B6BB0BE13862D7B8ED9B0
Serial Number
4B48B27C8224FE37B17A6A2ED7A81C9F
Whether or not piriform actually has the old certificate officially revoked and invalidated at some point is up to them. (one would hope this is their plan)
Digitally signed:
10:42 AM 8/3/2017
10:58 AM 8/3/2017
But released into the world 8/15. Where do the files sit around for 12 days after being signed before being released?
Also piriform's code signing certificate was removed from my (2nd) post for some reason... This is a commonly available and not harmful file, I don't know why it's been removed.
You could use piriform's certificate to manually revoke trust on your own system if you wanted. This will not nullify any Norton insight reputation gained by being signed by a "trusted" certificate. I don't know when or if (or if they have already) changed anything with regard to how much (if anything) being signed by piriform currently contributes to a file's Norton insight reputation.
Status update:
#3
276936C38BD8AE2F26AAB14ABFF115EA04F33F262A04609D77B0874965EF7012
No detection/response yet (this sample was less widely discussed)
File name: cc_setup533.exe
Detection ratio: 29 / 64
Analysis date: 2017-09-19 21:10:49 UTC ( 1 hour, 57 minutes ago )
Still no explanation from avast/piriform as to the (above) second infected installer / 32-bit main exe created just a handful of minutes after the first.
on 64bit machines....delete languages & 32bit installer
Um, update to current CCleaner version.
I don't use the program, I'm just trying to get the detection updated. Is the installer itself tampered, or just the (32-bit version of the) installed program?
Already done, but they tend to take multiple weeks to get back to you sometimes - if they ever get back to you at all. I have another unrelated case that is still unresolved for 3+ weeks).
Also this is a special case with the malware being digitally signed and the certificate being in question.