Driver Signing.

[basil00]

I am looking for a new sponsor for driver signing. The high-level requirements are:

• Willing to sign new releases of the WinDivert32.sys and WinDivert64.sys driver (probably about 1-2 releases per year).
• Have an Extended Validation (“EV”) Code Signing Certificate as required by Windows 10.

Note that there is no immediate problem as the current release is already signed. This is for anticipated future releases or bug fixes.

If you can help then please contact basil at reqrypt.org.

[muse117]

I am not sure. As a last resort, you can try manually deleting any WinDivert entry in the registry. That seemed to have worked for other people.

The Version 2.2 A/B/C/D is double sha-256 signature. You should set a sha-1 and sha-256 signature. This can support Windows 7/ Windows 2008.

[basil00]

I usually ask the sponsors (who sign the driver) if they also want to support SHA1, but most do not bother. It is still possible to run SHA256 drivers by using an up-to-date version of Windows 7, or at least by installing a patch: https://support.microsoft.com/en-us/help/3033929/microsoft-security-advisory-availability-of-sha-2-code-signing-support

[wumn290]

I signed the driver with our company's certificate, and then submitted it to Microsoft for signature. The choice is: Windows 10 Client versions 1506 and 1511 (TH2) Windows 10 Client versions 1506 and 1511 x64 (TH2) Windows 10 Client version 1607 (RS1) Windows 10 Client version 1607 x64 (RS1) Windows 10 Client version 1703 Client (RS2) Windows 10 Client version 1703 Client x64 (RS2) Windows 10 Client version 1709 Client (RS3) Windows 10 Client version 1709 Client x64 (RS3)   I've been stuck in the Scanning stage, I don't know why

[TechnikEmpire]

IIRC just select a single target with the lowest version of windows 10. The portal scans the ini files and figures out itself what architectures you've included and such.

[wumn290]

IIRC just select a single target with the lowest version of windows 10. The portal scans the ini files and figures out itself what architectures you've included and such.

Does IIRC mean RS2? I now choose this way: Windows 10 Client versions 1506 and 1511 (TH2) Windows 10 Client versions 1506 and 1511 x64 (TH2) Windows 10 Client version 1607 (RS1) Windows 10 Client version 1607 x64 (RS1) Give it a try

[wumn290]

Now the scan fails： Scanning Notes {"code":"4001","details":{"errorInfo":"ConfirmedMalware"},"innerError":null}

[TechnikEmpire]

No sorry, its just short for "if I recall correctly". The portal is finicky and will get stuck without explanation sometimes. Pick the simplest/base option. In this case, the lowest version of windows. Also make sure that you're only choosing attestation signing. Theres another type of signing where the portal runs a myriad of tests against the driver. You don't want that. Simply attestation signing.

[TechnikEmpire]

@basil00 that MS portal output needs your attention. @wumn290 that doesn't look good. I've tagged the author, he will have to follow up.

[basil00]

{"code":"4001","details":{"errorInfo":"ConfirmedMalware"},"innerError":null}

That is quite concerning. If Microsoft decides to shadowbans the driver then that is pretty much the end of the project.

Some questions:

• What version of WinDivert did you attempt to sign?
• Did you make any modifications to the driver before signing?

Can anyone else with an EV certificate verify this for me?

If confirmed, the next step would be to contact Microsoft support to complain about a false positive. WinDivert is not malware and should not be classified as such.

[wumn290]

{"code":"4001","details":{"errorInfo":"ConfirmedMalware"},"innerError":null}

That is quite concerning. If Microsoft decides to shadowbans the driver then that is pretty much the end of the project.

Some questions:

• What version of WinDivert did you attempt to sign?
• Did you make any modifications to the driver before signing?

Can anyone else with an EV certificate verify this for me?

If confirmed, the next step would be to contact Microsoft support to complain about a false positive. WinDivert is not malware and should not be classified as such.

I am using WinDivert64.sys and WinDivert32.sys under WinDivert-1.4.3-A \ x86, which are not compiled from the source code, the driver is not changed before signing, but the inf is written by myself, other driver files of our company can The signature passed, but windivert failed

[basil00]

One of the sponsors resigned version 2.2.0 of the driver and had no problems. So this might just be a false positive in Microsoft's malware detection that affects version 1.4.3 of the driver binary.

There are are few things you could try, such as upgrading to newer versions of the driver, recompiling the driver, or contacting Microsoft support to complain about the false positive.

[SizzlingCalamari]

I have KB3033929 patch installed on Win7 but run WinDivert-2.2.0-A/B/C with an error: failed to open the WinDivert device (577). WinDivert-1.4.3-A is running well without any problem. Any suggestions? Thanks.

@helloray Try this version: https://reqrypt.org/download/WinDivert-2.2.0-D.zip

@basil00 I had the same issue with A/B/C where they wouldn't load on a fully updated W7. The D version worked for me. Could you upload it to the project site or add it to releases? Thanks!

[helloray]

@SizzlingCalamari Your D version worked for me. Thanks

[basil00]

Looking for a new sponsor for driver signing

WinDivert 2.2.1 is available but is currently unsigned. If anyone can help with driver signing, please contact basil at reqrypt.org.

[Fplyth0ner-Combie]

Looking for a new sponsor for driver signing

WinDivert 2.2.1 is available but is currently unsigned. If anyone can help with driver signing, please contact basil at reqrypt.org.

We can help to sign driver. Contacted by email.

[basil00]

@Fplyth0ner-Combie Thanks very much for your help.

A WinDivert 2.2.1 release (with signed drivers) is now available here: https://github.com/basil00/Divert/releases/tag/v2.2.1