Authenticode Digital Signing

Please let our ADS show!

This sites offers only FREE software and it's supported by a few advertisement boxes (no intrusive popups).

  • disable your AdBlocker by adding CoolSoft website to whitelist
  • give the proper cookie consent
  • enable JavaScript for this website

This seconds wait is to let you update your browser configuration...

Ok, I've done the required changes... now show me your content!
!!! Please enable JavaScript !!!
Posts: 1
Joined: 24 Mar 2020 - 13:14
Authenticode Digital Signing

Hi Mysterious Creator,

I absolutely love VirtualMIDISynth.  Thank you for the effort, obvious passion, and care you've put into it.

Because VitualMIDISynth is interacting with operating system objects normally not interacted with by normal freeware/shareware, it is detected as a threat by a good portion of the antimalware community as visible on VirusTotal.

As an employee of one of the major security vendors, I would like to suggest something that will quickly allow someone to flag CoolSoft software as non-threatening (non-malware).

As of now, 2020, digitally signing software with Authenticode signatures is a must-for-trust.  This allows the assessment of threat-level to be tied directly to the vendor and an override of a threat detection to be created.

I have submitted VirtualMIDISynth for analysis in order to achieve non-malware status at my employer, but I can do so only based upon the current file version because there is no digital certificate.  As soon as the software is updated, the status override is no longer useful.

In particular, MIDIMapper.Configurator.Proxy.exe is currently detected as malware, but frankly any of the PEs (.exe or .dll) involved in VirtualMIDISynth can be signed by a single certificate and therefore be cleared by reputation of the digital certificate.

If for any reason a securty vendor does not clear your digital certificate, the digital certificate is still useful because an individual user can clear CoolSoft software, themselves, using that digital certificate.

In order to further an audience otherwise scared away from VirtualMIDISynth by their antimalware software, I hope that you are willing to Authenticode-sign your software.

Thanks, again, for such a wonderful product bringing great sound into my tech den!  :)

Posts: 1735
Joined: 25 Mar 2012 - 01:19
Re: Authenticode Digital Signing

I somehow missed this thread, and I'm very sorry ;)

I agree that Digitaly Signing binaries is the way to go... but it costs too much for a single developer making free software only.
I have no income from my free work (other than a few bucks from ADs, that actually most of people remove with AdBlockers and such...).

So spending 200$+/yr for a certificate is something I really don't like to, since I don't make money out of it.

WarsawPact wrote:
As an employee of one of the major security vendors...
Maybe you could help me clearing my doubts about self-signed certificates:

  • How are they considered by AV vendors?
  • Could they add them to their signatures DBs or this is not possible at all (as I suppose...)?
  • Will it only help end-users to flag CoolSoft software as safe (or safer)?

Thanks for your help.