Jump to content

ESET Code Signing Certificate can not be validated. Windows 11 Security warns.


Recommended Posts

After updating Windows 11 the other day, Windows 11 now complains that Local Security Authority Protection is off.

Looking into the errors in Event Viewer, it looks like the cause is that ESET binaries are not properly signed.

image.png.fc6bde10fc098dfb25d317c7a82be0db.pngimage.png.18609b3521f24293af1c26cca54ea056.png

Anybody else seeing this?

Link to comment
Share on other sites

  • Administrators

I've checked ekrn.exe signatures and both certs issued by Entrust and Microsoft are valid:

image.png

image.png

Link to comment
Share on other sites

The one it complains about is eamsi.dll, but it actually has multiple signatures.

That top one looks good, but the bottom one can not be verified.

image.png.8c6d080b829b004f92af047ca77e46db.png

Link to comment
Share on other sites

  • Administrators

It's perfectly ok, the last one is a signature by an internal CA cert and is not meant to be verified by the OS in order to load. What mattes is that the first two signatures are reported as valid by Windows.

Link to comment
Share on other sites

Actually, eamsi.dll is not validly signed per below screen shor:

Eset_AMSI.png.2f2d09133b0e21e0bfeccc3a40f6a284.png

To date, this status has not caused issues in Win 10.

Perhaps Microsoft has decided to crack down on AV vendors in this regard on Win 11.

Edited by itman
Link to comment
Share on other sites

I did some "boning up" on LSA protection on Win 11.

At default settings, it just sets lsass.exe to protected mode. I have done this on my Win 10 build via reg hack. Also, can be done via Group Policy editor. Again, even in protected mode, I haven't observed any conflicts with invalid signed Eset eamsi.dll. That is, lsass.exe still runs in protected mode along with LsaIso.exe; i.e.Credential Guard & Key Guard, loading. However, my PC doesn't support Secure Boot. Without it, I don't get full Credential Guard & Key Guard protection.

Win 11 however does introduce LSA protected mode with UEFI lock option. Are you using that option?

However since lsass.exe runs as a Protected process, Eset wouldn't be able to inject eamsi.dll into it; even if it tried to which I see no reason why it would do so. Bottom line is I don't beleive eamsi.dll is the source of your LSA issues on Win 11.

Link to comment
Share on other sites

So the base problem is indeed not ESET (even though clearly MS would like something to be different according to the event viewer).
Apparently something in the update 4 days ago made this happen for a lot of people.
The solution is to add a new/different registry key to enable LSA. No idea why this is now needed.

https://www.elevenforum.com/t/enable-or-disable-local-security-authority-lsa-protection-in-windows-11.11104/#post-274436

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...