What is SSL.com Malware Scan?Malware Scan is a new service offered by SSL.com to software developers utilizing code signing certificates to assure that code is free of malware before being signed.
Benefits of Malware ScanMalware Scan adds an extra layer of defense to code signing certificates. If malware is detected in the code, the signing is immediately prevented from being accomplished and the user is informed so that preventive action can be taken. Software developers, publishers, and distributors can now incorporate automated malware and code signing into the CI/CD environments. Despite code signing being automated in some form, the protection of private keys and signing certificates is usually done manually, putting these at risk of being stolen. Once ransomware gangs and other malicious actors are able to hack into the production environment of a software publishing company, they can secretly inject malware in the build process and cause disastrous consequences. This is what Malware Scan prevents.
eSigner Cloud Code SigningTo be able to use the Malware Scan service, SSL.com customers first need to purchase an EV code signing certificate and enroll it to our eSigner cloud code signing service once the cert is issued. eSigner enables software developers to conveniently sign and timestamp their code on the cloud, with no need for USB tokens, HSMs, or other special hardware. By storing the EV code signing certificate on the cloud, eSigner enables software engineers to securely sign their code without having to worry about losing a USB token, having their code signing certificates stolen by hackers, or accidentally deleting a pfx file. The main benefits of eSigner-based code signing + Malware Scan are explained below:
- Software engineers working in teams can be sure that the software pieces they are passing to each other are completely free of malware
- If the production environment gets injected with malware, Malware Scan adds an additional layer of defense by recognizing the threat, prompting engineers to secure their build pipeline and prevent further attacks.
- Software publishers and distributors can be sure that the final software products they are selling to customers are genuine and fully-functional, including those of installers, and software updates.
How to use Malware Scan
Enabling Malware Scan on your SSL.com AccountEnabling the Malware Scan service on your SSL.com account is a first step before being able to use the service on eSigner Express, eSigner CodeSignTool, eSigner APi, or eSigner CKA.
- Scroll down to the SIGNING CREDENTIALS section and locate the part showing your eSigner certificate credentials. Make sure that the radio buttons that say signing credential enabled and malware blocker enabled are chosen. These will allow you to use the Malware Scan service on each of the eSigner toolkit.
- Scroll down to the SIGNING CREDENTIALS section and locate the part showing your eSigner certificate credentials. Make sure that the radio buttons that say signing credential enabled and malware blocker enabled are chosen. These will allow you to use the Malware Scan service on each of the eSigner toolkit On the other hand, if you click the radio button for malware blocker disabled, you will be able to sign your code without using the Malware Scan service.
Using Malware Scan on eSigner Express
- Upload your file to eSigner Express.
- After uploading, you will be prompted for the two-factor authentication code.
- If the file you uploaded contains malicious code, eSigner Express will flash this warning and prevent the signing: hash that needs to sign is a malware object hash
- If you disable Malware Scan on your order page, eSigner Express will immediately warn you.
Using Malware Scan on CodeSignTool
- Enable Malware Scan on your order page.
- Enter the Sign command on CodeSignTool. For more information on CodeSignTool commands, please refer to our article: eSigner CodeSignTool Command Guide.
- If the code you are attempting to sign on CodeSignTool is infected with malware, the signing will fail and you will get the warning, Error: hash that needs to sign is a malware object hash
Using Malware Scan on eSigner APIIn this demo, Postman was used to call eSigner API.
- Enable Malware Scan on your SSL.com order page. Postman’s Scan Settings will then show “malware_scan_enabled”: true.
- If the file you uploaded to Postman contains malware, the signing process will halt and you will be promptly warned.
Using Malware Scan on eSigner Cloud Key Adapter (CKA)
- Click the malware blocker enabled radio button on your SSL.com order page.
- Install eSigner Cloud Key Adapter.
- Install eSigner CodeSignTool.
- Scan the code on CodeSignTool using the following command:
scan_code [-hV] -input_file_path=<inputFilePath> -password=<PASSWORD> [-program_name=<programName>] -username=<USERNAME>
- Use SignTool to sign the code with eSigner CKA using the following command:
"SignTool File path" sign /fd sha256 /tr
/td sha256 /sha1 certificate thumbprint "inputFilePath"
-input_file_path=<PATH>: Path of code object to be signed.
-username=<USERNAME>: SSL.com account username
-password=<PASSWORD>: SSL.com account password.
-program_name=<PROGRAM_NAME>: Name of program
-credential_id=<CREDENTIAL_ID>: Credential ID for signing certificate. Your eSigner Credential ID is located in the same section of your SSL.com certificate order page where the radio buttons for Malware Scan are also enabled.
- SignTool File path: installation file path for SignTool