Checking the digital signature for a file under Microsoft Windows

While examining a .exe file, which was installed as part of the Genius Box adware/spyware software bundled with the Vuze 5.5.0.0 BitTorrent application, with one of the Windows Sysinternals programs, Strings, I saw the following text contained in the file client.exe:
Malwarebytes Anti-Malware Premium 
GB1
Greater Manchester1
Salford1
COMODO CA Limited1!0
COMODO Code Signing CA 20
140716000000Z
150716235959Z0
US1
641121
Missouri1
Kansas City1
4600 Madison Ave FL 101
Joltlogic1
Joltlogic0

I also saw the following text in the file:

https://secure.comodo.net/CPS0A
:0806
0http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
f0d0<
0http://crt.comodoca.com/COMODOCodeSigningCA2.crt0$
http://ocsp.comodoca.com0

Greater Manchester1
Salford1
COMODO CA Limited1!0
COMODO Code Signing CA 2

I presumed that text was there because the file had been digitally signed by the developer of the adware. A digital signature is a means of electronically "signing" a file in a manner that identifies the publisher of a file and helps verify it hasn't been altered since it was published. Without a digital signature on a file, you can't be certain that it is from the claimed developer/publisher. As Microsoft notes in What is a digital signature?, though, "Even a valid digital signature does not verify that the contents of the file are harmless. You must decide if you shoujld trust the contents of the file based on the identity of the publisher and where you are downloading the file from." In Windows Vista and later versions of the Microsoft operating system, users will be warned if they attempt to run a program that has not been digitally signed. So the adware developer digitally signed client.exe revealing the source of the program.

You can view the digital signature on a file by using a PowerShell "cmdlet". PowerShell is an integral part of Windows 7 and 8 operating systems and can be downloaded from Microsoft for earlier versions of its operating systems. To use PowerShell, enter powershell at a command line prompt. Once you get the PowerShell prompt, which begins with PS, you can enter Get-AuthenticodeSignature followed by the name of the file whose signature you wish to check.

C:\Users\JDoe\AppData\Local\GeniusBox>powershell
Windows PowerShell
Copyright (C) 2014 Microsoft Corporation. All rights reserved.

PS C:\Users\JDoe\AppData\Local\GeniusBox> Get-AuthenticodeSignature client.exe


    Directory: C:\Users\JDoe\AppData\Local\GeniusBox


SignerCertificate                         Status             Path
-----------------                         ------             ----
16CE9D5ADE81FCA57EF3F545F631DFD7B6D6C01E  Valid              client.exe


PS C:\Users\JDoe\AppData\Local\GeniusBox>

That shows me the digital signature, but I'd like to know the company or individual associated with that signature. To see that information, I need to enter | Format-List at the end of the command.

PS C:\Users\JDoe\AppData\Local\GeniusBox> Get-AuthenticodeSignature client.exe | Format-List


SignerCertificate      : [Subject]
                           CN=Joltlogic, O=Joltlogic, STREET=4600 Madison Ave
                         FL 10, L=Kansas City, S=Missouri, PostalCode=64112,
                         C=US

                         [Issuer]
                           CN=COMODO Code Signing CA 2, O=COMODO CA Limited,
                         L=Salford, S=Greater Manchester, C=GB

                         [Serial Number]
                           5EE011413A702F6705B25B34B674F3AB

                         [Not Before]
                           7/15/2014 8:00:00 PM

                         [Not After]
                           7/16/2015 7:59:59 PM

                         [Thumbprint]
                           16CE9D5ADE81FCA57EF3F545F631DFD7B6D6C01E

TimeStamperCertificate :
Status                 : Valid
StatusMessage          : Signature verified.
Path                   : C:\Users\JDoe\AppData\Local\GeniusBox\client.exe



PS C:\Users\JDoe\AppData\Local\GeniusBox>

That showed me that Comodo was the certificate authority (CA) used by the developer of client.exe, but the software was actually produced by a company named JoltLogic, a company that produces adware software - see the Joltlogic Analysis - herdProtect article. Also see the herdProtect article Malware scan of client.exe 1865c0e985c72d68dbf35af9b482ed7a98b70511 - herdProtect, which mentions that the client.exe program etablishes a proxy server on the local host address http://127.0.0.1:49327/, though on the system on which this adware was bundled with Vuze, the port it was listening on was 55833 rather than 49327.

Another alternative to the PowerShell cmdlet for checking the digital signature on a file is to use the Sysinternals' tool Sigcheck.

C:\Users\JDoe\AppData\Local\GeniusBox>"c:\program files\sysinternals\sigcheck" client.exe

Sigcheck v2.1 - File version and signature viewer
Copyright (C) 2004-2014 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\Users\JDoe\AppData\Local\GeniusBox\Client.exe:
        Verified:       Signed
        Signing date:   n/a
        Publisher:      Joltlogic
        Description:
        Product:        n/a
        Prod version:   1.0.5476.25517
        File version:   1.0.5476.25517
	MachineType:    32-bit