Incorrect Authenticode image page hashes

ID PE167 Level CRITICAL Category Security

Description

Authenticode image page hashes value is not correct. The value stored in the signature does not match the computed value. This makes the Authenticode signature invalid.

Mitigation

  • Make sure you do not modify the executable image after it has been signed.
  • Do not compress/pack signed images.

Arguments

This rule has the following output arguments:

  • signature_info - Readable affected signature name (e.g. "root signature", "timestamp root signature", "nested signature (index 1)")