Jump to content

ESET Code Signing Certificate can not be validated. Windows 11 Security warns.


Recommended Posts

After updating Windows 11 the other day, Windows 11 now complains that Local Security Authority Protection is off.

Looking into the errors in Event Viewer, it looks like the cause is that ESET binaries are not properly signed.

image.png.fc6bde10fc098dfb25d317c7a82be0db.pngimage.png.18609b3521f24293af1c26cca54ea056.png

Anybody else seeing this?

Link to comment
Share on other sites

The one it complains about is eamsi.dll, but it actually has multiple signatures.

That top one looks good, but the bottom one can not be verified.

image.png.8c6d080b829b004f92af047ca77e46db.png

Link to comment
Share on other sites

  • Administrators

It's perfectly ok, the last one is a signature by an internal CA cert and is not meant to be verified by the OS in order to load. What mattes is that the first two signatures are reported as valid by Windows.

Link to comment
Share on other sites

Actually, eamsi.dll is not validly signed per below screen shor:

Eset_AMSI.png.2f2d09133b0e21e0bfeccc3a40f6a284.png

To date, this status has not caused issues in Win 10.

Perhaps Microsoft has decided to crack down on AV vendors in this regard on Win 11.

Edited by itman
Link to comment
Share on other sites

I did some "boning up" on LSA protection on Win 11.

At default settings, it just sets lsass.exe to protected mode. I have done this on my Win 10 build via reg hack. Also, can be done via Group Policy editor. Again, even in protected mode, I haven't observed any conflicts with invalid signed Eset eamsi.dll. That is, lsass.exe still runs in protected mode along with LsaIso.exe; i.e.Credential Guard & Key Guard, loading. However, my PC doesn't support Secure Boot. Without it, I don't get full Credential Guard & Key Guard protection.

Win 11 however does introduce LSA protected mode with UEFI lock option. Are you using that option?

However since lsass.exe runs as a Protected process, Eset wouldn't be able to inject eamsi.dll into it; even if it tried to which I see no reason why it would do so. Bottom line is I don't beleive eamsi.dll is the source of your LSA issues on Win 11.

Link to comment
Share on other sites

So the base problem is indeed not ESET (even though clearly MS would like something to be different according to the event viewer).
Apparently something in the update 4 days ago made this happen for a lot of people.
The solution is to add a new/different registry key to enable LSA. No idea why this is now needed.

https://www.elevenforum.com/t/enable-or-disable-local-security-authority-lsa-protection-in-windows-11.11104/#post-274436

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...