Pavol Cerven

itman: Thank you for your answers, they are very helpful. But one thing I don't understand. You will add Eset's certificate to the whitelist of allowed certs. Then the security solution will check if it is the same cert. At this point everything is fine. Then you will call WTHelperCertIsSelfSigned function. It will return "it is self-signed cert". And then what? You can't call WinVerifyTrust because it will return CERT_E_UNTRUSTEDROOT. But how you will check if certs are ok and nobody changed the file? Then anybody can use a self-signed cert for another file or change eamsi.dll and you will allow it? This is what I don't understand. And I appreciate your opinion because your answers make sense. Btw: I looking for answers for others, because we have our's cert handling, checking, etc. You give me the correct way how we will do it for problematic certs like this (we will see if we can really do it in the correct way).

Our protection solution accepts in process only dlls with known certificates and valid signed dlls . I can add Eset's certificate as a known certificate. It is not the problem. The problem is a return value from WinVerifyTrust function. All correctly signed files normally return ERROR_SUCCESS. But eamsi.dll returns CERT_E_UNTRUSTEDROOT.

Marcos if you think your certificates are correct, then you try to call WinVerifyTrust function. For eamsi.dll it returns error code 0x800B0109 which is CERT_E_UNTRUSTEDROOT. Before you reply try opening (ALT+ENTER) eamsi.dll in Windows and check what Windows display for your certificates. It doesn't look correct. I am sorry. I have 3 licenses of ESET Internet Security and it's the same at Win11, Win10, and Win7.

Hello, during testing our program we found out your dll file eamsi.dll inject into our process. Because this file is signed with Microsoft's certificate it will be no problem. File has 3 signatures: ESET, spol. s r.o. -> it's ok Microsoft Windows Hardware Compatibility Publisher -> it's ok ESET, spol. s r.o. -> If you open "view certificate" then you will see: "This certificate cannot be verified up to a trusted certification authority" and if you open "Certification Path" then you will see "This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store." I did a quick check and think many other files have the same problem (dmon.dll). Can you please update your certificates or maybe inject your files more hidden way?