Why does my signed file appear as "not signed" on VirusTotal?
I have a file that appears to be digitally signed on my Windows system, but VirusTotal's "Details" tab reports it as "File is not signed." Why is there a discrepancy?
There are two primary reasons why a file might appear signed locally but unsigned on VirusTotal:
1. The use of Windows Catalog Files
Windows has the capability to use "catalog files" (.cat) to verify the digital signature of a file. In these cases, the signature is not embedded directly within the file's Authenticode section as usual; instead, the file's hash is stored in a separate catalog file on your system that declares the file as trusted.
Since VirusTotal analyzes the file in isolation, it does not have access to the specific catalog files present on your local machine, and thus cannot verify signatures that are not embedded directly in the binary.
2. Stricter Authenticode Verification
VirusTotal enforces a stricter Windows Authenticode signature verification process than some local tools . This means that if a signed file is malformed or has been tampered with, VirusTotal will report it as "File is not signed" to ensure security and integrity.
How can I verify this myself?
You can use the Sigcheck utility from Microsoft Sysinternals to investigate the signature status of your file.
- Download Sigcheck.
- Run the following command in your terminal:
sigcheck.exe -i <path_to_your_file> - Check the output:
- If you see a "Catalog:" line in the output pointing to a
.catfile (e.g.,Catalog: C:\Windows\system32\CatRoot\...), the signature is external and not embedded in the file. - If the file is reported as "Unsigned" or "Verified: Unsigned" despite appearing signed in Windows Explorer, it may be due to the file being malformed or failing strict verification checks.
- If you see a "Catalog:" line in the output pointing to a
Updated about 13 hours ago