Why we add self signed code singing for software

We are testing the use of self-signed code signing to reduce false positives from antivirus software and we may add code signing to all software in future if this works fine.

As you may already know, we use encrypted software in some software to provide licensing functions, but the encrypted software often triggers false positives. Some antivirus software considers encrypted software to be at greater risk. This is also true in reality, because parts of the code in the encrypted software become obscure and unrecognizable.

The version 3.0 of ITHistExporter has 26 suspicious reports on Virustotal and 68 for all available scanners. When we added digital signatures, the number of suspicious reports was 7, the percentage was reduced from 38% to 10%. Most of the antivirus software with false positives were not very popular antivirus software. Although we are using a self-issued code signing certificate, the effect is still obvious.

Using a certificate issued by a trusted certificate authority will undoubtedly increase our costs, so we are currently just using a self-signed code signing certificate. In the future, we may consider purchasing a third-party code signing certificate for signing.

Another interesting phenomenon is that a color selection plug-in for the InTouch program that we released a few days ago also has lots false positives reported by the software software, because we used the UPX program to reduce the size of the software. The program compressed UPX can be restored by using the -d parameter of the UPX program, but some antivirus software still thinks it is suspicious, instead of decompressing and scanning again. I think this part of the antivirus software is unreliable. We uploaded uncompressed programs for scanning and detection, and the suspicious report rate is 0.

Here I made a demo and uploaded the video to Youtube to demonstrate the effect of code signing. You can also view the reports with the follow links:

https://www.virustotal.com/gui/file/a92ecba3190ca8f6291495077a8f5bbcfc6aa855bc831ee5a27ef91d046c6b3c (without code signing certification)

https://www.virustotal.com/gui/file/d960f95d9daccdd1b75b82a46c5181d3f97ca8ab7cfa12bc1214a3203723f84b (with code signing certification)

Leave a Reply

Your email address will not be published.

56 − = 47