As you may have heard, we released version 9 of Avira AntiVir last week. From our update servers we can tell that up to yesterday more than half of Avira AntiVir Premium users as well as those using Avira AntiVir Personal have upgraded to the new version. Looking at the support statistics, the new version runs very well and smoothly.

But questions arose due to a new feature which many people seem to activate (which is good, by the way.). It scans the system files and checks their integrity by verifiying their digital signature. If someone or something like malware tampered with those system files, it will invalidate the digital signature and cause Avira to warn about this.

A digital signature is a checksum of the file which is stored together with a digital certificate of the producer of the software. If the file gets changed, the checksum changes as well and the digital signature isn’t valid anymore. By checking the certificate it can be validated that the producer is the “real” one.

This leads to some confusion whether the systems of affected users are in fact infected or not. This is hard to tell on end-user-systems. There are patches available which lift the connection limit of half open TCP/IP connections in Windows XP and newer versions by directly modifying the responsible DLL. Other programs tamper with the system files for adding themes to windows (NB: you don’t need to change executable system files for applying themes to windows, better stay away from such software).

So the computer isn’t necessarily infected when Avira warns about invalid signatures in system files. In companies you may want to take such systems offline and analyse them anyways. Computer users should be aware that they can’t really trust their system anymore once these signatures are invalidated, as malware may modify those binaries as well – and now the user can’t see that this happened as the signature was invalid already before.

Dirk Knop
Technical Editor