KB2915720: Changes in Windows Authenticode Signature Verification
Info Nessus Plugin ID 71322
SynopsisThe remote Windows host has not enabled a recommended Windows Authenticode configuration change.
DescriptionThe remote Windows host has not enabled the Windows Authenticode signature verification certificate padding check. This means extraneous information can be included in signed binaries.
Note that Microsoft announced on July 29, 2014, that it no longer plans to enforce the stricter signature verification behavior by default, which would have caused previously-signed binaries to be considered unsigned if they contained extraneous information in the WIN_CERTIFICATE structure of the signed executable. It does, though, remain an opt-in feature.
Note also that this plugin will report if the Windows Authenticode signature verification has been enabled provided that the 'Report paranoia' Global variable setting preference is set to 'Paranoid (more false alarms)'.
SolutionApply the suggested actions referenced in Microsoft Security Advisory (2915720). These actions may cause previously signed binaries to be considered unsigned. Refer to the advisory for more information.