WinVerify Trust Signature User Guide

WinVerify is a remote code execution vulnerability. It is caused when the WinVerifyTrust function improperly validates the file digest of a specially crafted PE (Portable Executable) file while verifying a Windows Authenticode signature.

Global Filters

Use the search bar to find a particular system or filter data from the System Types: All Systems, Only Vulnerable Systems, or Only Secured Systems.

Impact Summary

This graph discloses the number of Vulnerable Systems vs. Secured Systems to the WinVerifyTrust Signature vulnerability.

Systems

This grid displays the data derived from the sensor for the WinVerify Trust Signature Vulnerability. When a sensor is triggered, this grid lists the affected System, Latest Trigger Date, and whether the Sensor (is) Currently Active.

  • If the sensor is currently active and therefore a threat, it will appear red for yes. This means the system needs immediate action.

  • If the sensor is not currently active and therefore does not require intervention, it will appear in green for no.

More information

According to Microsoft’s Website, WinVerify is a remote code execution vulnerability. This vulnerability occurs when the WinVerifyTrust function improperly validates the file digest of a specifically crafted PE (Portable Executable) file while verifying a Windows Authenticode signature.1

The data for vulnerability is derived from sensors. See below for how the vulnerability sensors are triggered.

Trigger Information

For the sensor to become true, it needs:

  1. The Atera Agent software was installed. After installation, a system reboot was performed within 1 minute.

  2. Windows defender exclusions. It must have:

    • Default action changed to ignore all threat severity levels (from HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\PolicyManager\ThreatSeverityDefaultAction)

    • Set to never run a scheduled full scan (from 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\PolicyManager\ScheduleScanDay)

    • Allow IOAV Protection turned off (from HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\PolicyManager\AllowIOAVProtection)

    • Allow archive scanning turned off (from HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\AllowArchiveScanning)

    • PUA Protection turned off (from HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\PUAProtection)

For item 2, if the first one, default action changed to ignore all threat levels, is detected, this entire section becomes true. Otherwise, it needs any three of the others.

The overall sensor must have 1 and 2 present to be true.

References

1 BetaFred, Dressman, M., & V-Vijnu. (2019, December 19). Microsoft Security bulletin MS13-098 - critical.

Microsoft Docs. Retrieved April 14, 2022, from