08/01/2018, 6:12 PM
@Prakhar @alessandrogario - regarding the 'slow' authenticode query times, here's a lazy point of view from me. I say lazy because I didn't look at the implementation. I'mhappy to if the answer isn't obvious to one of you gusy already. With ~207 processes, a logical guess is that there are many instances of the same backing executable. For example, multiple instances of the same svchost.exe, csrss.exe, etc. the implemenation may not maintain state as it enumrates all running processes such that it doesn't re-evaluate. the actual hash operation is very fast, so being able to hash the backing image (PE) of each process and then put in some sort of state table and then, if a subsequent process has the same backing PE, then report the same status - might provide signficiant real-world speed ups without actually changing the core logic in terms of authenticode validation.


08/02/2018, 4:22 PM
This would be awesome, I don’t think we currently make smart decisions around what to verify at the moment