Signature verification
Purpose
This setting defines whether and when digital signatures of files are checked to ensure that only trusted and unmodified programs are executed. The verification is performed based on certificates associated with a file. This allows DriveLock to determine, for example, whether a program originates from the specified publisher or has been tampered with.
How it works
This setting enables the verification of certificates in digitally signed files. DriveLock checks the validity of the signature and determines how deeply the associated certificate chain is verified – for example, whether only the thumbprint is checked or the entire chain is validated.
This influences how DriveLock identifies trusted applications.
Configuration options
| Option | Description |
|---|---|
|
Off - not recommended |
No signature check is performed. Not recommended, as tampered files may go undetected. (Behavior is the same as before for EXE/DLL files.) |
|
On – without using thumbprint (default) |
Signature verification is performed only if no certificate thumbprint is used as a validation criterion. This is the default. |
|
On – using criteria other than thumbprint |
Signature verification is performed only if validation criteria other than the certificate thumbprint are used (e.g., issuer name, serial number). |
|
On (always) – caution with self-signed certificates |
Signature verification is always performed, regardless of other criteria. This option offers maximum security but may lead to issues if self-signed certificates are intended to be trusted (e.g., as previously allowed for scripts). |
Recommended configuration
The option On - without using the thumbprint is the default value and provides a secure, consistent check without restrictions for self-signed certificates. The On (always) setting offers maximum security, but should be used with caution if self-signed certificates are in use in the environment. This setting has no effect on performance.
In combination with the Trusted processes setting, it ensures that only signed and verified applications may be executed.