Trusted Vendors List
In Comodo Client Security, there are two basic methods in which an application can be treated as safe. Either it has to be part of the 'Safe List' (of executables/software that is known to be safe) OR that application has to be signed by one of the vendors in the 'Trusted Vendor' list.
From this point:
- IF the vendor is on the Trusted Software Vendor List AND the user has enabled 'Trust Applications signed by Trusted Vendors' in the File rating Settings panel, THEN the application will be trusted and allowed to run.
- IF the vendor is not on the Trusted Software Vendor List OR the user has not enabled 'Trust Applications signed by Trusted Vendors' THEN the application will be contained. If the application in question is an installer then CCS will generate an elevated privilege alert.
Software publishers may be interested to know that they can have their signatures added, free of charge, to the 'master' 'rusted Vendor list that ships to all users with CCS. Details about this can be found at the foot of this page.
The 'Trusted Vendors' panel can be opened by clicking Security Settings > File Rating > Trusted Vendors.
You can use the search option to find a specific vendor in the list.
To use the search option, click the search icon at the far right in the column header.
- Click the chevron on the left side of the column header and select the search criteria from the drop-down.
- Enter partly or fully the vendor's name in the search field.
- Click the right or left arrow at the far right of the column header to begin the search.
- Click
the icon in the search field to close the search option.
Click here to learn how to Add / Define a user-trusted vendor
Software Vendors - click here to find out about getting your software added to the list
Many software vendors digitally sign their software with a code signing certificate. This practice helps end-users to verify:
-
Content Source: The software they are downloading and are about to install really comes from the publisher that signed it.
-
Content Integrity: That the software they are downloading and are about to install has not be modified or corrupted since it was signed.
In short, users benefit if software is digitally signed because they know who published the software and that the code hasn't been tampered with - that are are downloading and installing the genuine software.
The 'Vendors' that digitally sign the software to attest to it's probity are the software publishers. These are the company names you see listed in the first column in the graphic above.
However, companies can't just 'sign' their own software and expect it to be trusted. This is why each code signing certificate is counter-signed by an organization called a 'Trusted Certificate Authority'. 'Comodo CA Limited' and 'Verisign' are two examples of a Trusted CA's and are authorized to counter-sign 3rd party software. This counter-signature is critical to the trust process and a Trusted CA only counter-signs a vendor's certificate after it has conducted detailed checks that the vendor is a legitimate company.
If a file is signed by a Trusted Software Vendor and the user has enabled 'Trust Applications that are digitally signed by Trusted Software Vendors' then it will be automatically trusted by Comodo Client Security (if you would like to read more about code signing certificates, see http://www.instantssl.com/code-signing/).
One way of telling whether an executable file has been digitally signed is checking the properties of the .exe file in question. For example, the main program executable for Comodo Client Security is called 'ccs.exe' and has been digitally signed.
- Browse to the (default) installation directory of Comodo Client Security.
- Right click on the file ccs.exe.
- Select 'Properties' from the menu.
- Click the tab 'Digital Signatures (if there is no such tab then the software has not been signed).
This displays the name of the CA that signed the software as shown below:
- Click the 'Details' button to view digital signature information.
- Click 'View Certificate' to inspect the actual code signing certificate. (see below).
It should be noted that the example above is a special case in that Comodo, as creator of 'ccs.exe', is both the signer of the software and, as a trusted CA, it is also the counter-signer (see the 'Countersignatures' box). In the vast majority of cases, the signer or the certificate (the vendor) and the counter-signer (the Trusted CA) are different. See this example for more details.
Adding and Defining a User-Trusted Vendor
A software vendor can be added to the local 'Trusted Software Vendors' list in two ways:
To add a trusted vendor by reading the vendor's signature from an executable
-
Click the handle from the bottom center and choose 'Add' > 'Read from a signed executable'
- Browse to the location of the executable your local drive. In the example below, we are adding the executable 'YahooMessenger.exe'.
On clicking 'Open', Comodo Client Security checks that the .exe file is signed by the vendor and counter-signed by a Trusted CA. If so, the vendor (software signer) is added to the Trusted Vendor list (TVL). If the file is already in the list, you will be notified.
To verify the signer
- Navigate to the installation location of the executable
- Right click on the executable file
- Select 'Properties' from the menu
- Click the tab 'Digital Signatures (if there is no such tab then the software has not been signed)
- From the 'Digital Certificate Details' dialog, click 'View Certificate'
- This displays the name of the CA that signed the software as shown below:
In
the example above, Comodo Client Security was able to verify and
trust the vendor signature on YahooMessenger.exe because it had been
counter-signed by the trusted CA 'Symantec'. The software signer
'Yahoo! Inc.' is now a Trusted Software Vendor and is added to the
list. All future software that is signed by the vendor 'Yahoo! Inc.'
is automatically added to the Comodo Trusted Vendor list UNLESS you
change this
setting in File Rating Settings.
To add a trusted vendor from a currently running process
- Click the handle from the bottom and choose 'Add' > 'Read from a running process'
-
Select the signed executable that you want to trust and click the 'OK' button.
Comodo Client Security performs the same certificate check as described above. If the parent application of the selected process is signed, CCS adds the vendor to the Trusted Software Vendors list.
If Comodo Client Security cannot verify that the software certificate is signed by a Trusted CA then it does not add the software vendor to the list of 'Trusted Vendors'. In this case, you can see the following error message.
Note: The 'Trusted Software Vendors' list displays two types of software vendors:
|
The Trusted Vendor Program for Software Developers
Software vendors can have their software added to the default Trusted Vendor List that is shipped with Comodo Client Security. This service is free of cost and is also open to vendors that have used code signing certificates from any Certificate Authority. Upon adding the software to the Trusted Vendor list, CCS automatically trusts the software and does not generate any warnings or alerts on installation or use of the software.
The vendors have to apply for inclusion in the Trusted Vendors list through the sign-up form at http://internetsecurity.comodo.com/trustedvendor/signup.php and make sure that the software can be downloaded by our technicians. Our technicians check whether:
- The software is signed with a valid code signing certificate from a trusted CA
- The software does not contain any threats that harm a user's PC
... before adding it to the default Trusted Vendor list of the next release of CCS.
More details are available at http://internetsecurity.comodo.com/trustedvendor/overview.php