Why are BigFix installers not signed?

With BigFix now falling under the Security Team of IBM, do we know why all the installers are not signed? I would have assumed that this would be the 1st thing to do with a production release. I have personally verified 9.2.7’s console & agent installer. It is not signed.

2 Likes

Just to expand a bit; we are also facing other issues:

  1. Win10 now starts to alert you by default if you launch an installer without appropriate signatures. Few IT admins already got paranoid and alerted me.
  2. Nowadays, threat intelligence is getting more and more collaborated with several tools; BES Client Helper for example, is listed as malware on https://exchange.xforce.ibmcloud.com/malware/08faef3865401071e4d197c7a2a76ebe and partially listed as malicious in virustotal; Now i totally understand that we need to take it with grain of salt, but a signature would be useful
  3. Many forensic tools/malware analysis procedures specifically list searching for files without signatures as analysis 101. This again causes great issues when you are promoting BigFix internally and the only option is to whitelist the hashes in the internal security tools we have.

The installers on Windows are definitely signed. How are you verifying the installers? I just checked the 9.2.7 Client installer for example and it states on the Properties/Digital Signatures tab that it is signed

1 Like

Thank for checking Alan. There seems to be an issue for sure. I dont know how come you are not seeing it:
So if you download any BigFix file to begin with:

Then, if you go to properties->dig sig->then Details → View Certificate… Boom!!! It starts working.

I have tested this on a lot of systems. This DEFINITELY doesnt work; Specially on Win10; On Win7, the only option is to do what i explained. After that i am seeing IBM as the publisher.

Another example:

So our 9.2.7 release is signed with a newer certificate than the older releases so it is possible that Microsoft has not yet done a patch that included the root certificates of the chain we are using. When you “check” the system there it will go out and attempt to fetch the certificate chain in question.

1 Like