Incorrect Authenticode image hash value

ID PE165 Level CRITICAL Category Security

Description

Authenticode image hash value is not correct. The hash value stored in the signature and the computed hash value differ. This makes the Authenticode signature invalid.

Mitigation

  • Make sure you do not modify the executable image after it has been signed.
  • Do not compress/pack signed images.

Arguments

This rule has the following output arguments:

  • signature_info - Readable affected signature name (e.g. "root signature", "timestamp root signature", "nested signature (index 1)")