Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

JamesSmith said:

@garlin I ran your new script in power shell and Malwarebytes picked it up as Malware

This only happens once. If I run the script again Malwarebytes ignores it until a system restart.

Click to expand...

JamesSmith said:

This happened on my laptop and desktop. There was no pop up. I saw the result when I went into Malwarebytes and was like what the heck but can say it happens exactly when the script runs. You need to open the program and go to detection history and it will be there.

Click to expand...

@EB2XR6 reported a similar malware alert from Webroot.

I believe it's false positive triggered by the inclusion of an open source function written by security researcher Matt Graeber. The function decodes the policy version number that's embedded in the SkuSiPolicy.p7b file, since it's not an open setting that can be read from the file.

Matt is a legitimate security expert who specializes in Windows code integrity (security), and provides many analysis scripts for other researchers.

Unfortunately, I can't ask the different security companies to unblock my script, since I'm an individual with no professional reputation online. Yes, I worked for two large tech companies people have known, but I those details are not public. Security companies don't like unblocking people who don't have a long reputation as a public-facing developer with a recognized project or software app.

You can choose to use the previous version (v2024.01.18):
Releases · garlin-cant-code/SecureBoot-CA-2023-Updates

As an experiment, I'm going to create an obfuscated version of the current script (for fun) to see if the security scanners are doing what I think they shouldn't be doing.

GunnzAkimbo said:

OK! Success.

2. The option in bios that forced secure boot into setup mode on my X99 Godlike board (2015 era) so the update script can install the certs:

Step 0 - MANUAL management of secure boot keys (NOT standard mode)

Step 1 - DISABLE factory default option
Step 2 - DELETE all factory default keys
Step 3 - A msg box appears stating all keys will be deleted and force secure boot into setup mode.

Run the check script then update script.

Click to expand...

Thanks for the write-up, it will help other users who might not know their BIOS menus.

JamesSmith said:

@garlin I ran your new script in power shell and Malwarebytes picked it up as Malware

Please see the screenshots.

This only happens once. If I run the script again Malwarebytes ignores it until a system restart.

View attachment 168151

View attachment 168152

View attachment 168153

This happened on my laptop and desktop. There was no pop up. I saw the result when I went into Malwarebytes and was like what the heck but can say it happens exactly when the script runs. You need to open the program and go to detection history and it will be there.

James.

Click to expand...

Hi James & Garlin
I have sent a copy of the script to Webroot for analysis a few hours ago and have not heard anything back.
I already mentioned to Garlin that I uploaded the Script to virustotal.com and nothing was detected.
Regards EB2XR6

Just for fun... does this trigger anyone's security product? I rewrote Matt's function to fluster automated scanning.

EB2XR6 said:

Hi James & Garlin
I have sent a copy of the script to Webroot for analysis a few hours ago and have not heard anything back.
I already mentioned to Garlin that I uploaded the Script to virustotal.com and nothing was detected.
Regards EB2XR6

Click to expand...

That's because the file is not the problem. I have scanned Check-UEFI with Malwarebytes, Norton 360 and HitmanPro and have received negative results. It only happens when you run the script.

There is no pop up with Malwarebytes but if you open it up you will see a entry in Detection History - Detection Overview related to the script being run.

JamesSmith said:

That's because the file is not the problem. I have scanned Check-UEFI with Malwarebytes, Norton 360 and HitmanPro and have received negative results. It only happens when you run the script.

Click to expand...

Webroot tagged the Script and Quarantined the file when I was decompressing the Zip file.

EB2XR6 said:

Webroot tagged the Script and Quarantined the file when I was decompressing the Zip file.

Click to expand...

The new one released today?

JamesSmith said:

The new one released today?

Click to expand...

Yes it did.

garlin said:

Just for fun... does this trigger anyone's security product? I rewrote Matt's function to fluster automated scanning.

Click to expand...

Not a peep from Webroot, Thanks Garlin.

I've written a few scripts to override default Windows file security settings (some posted to Ten/ElevenForum). They use well known methods. And believe me Defender loves to flag my scripts over and over, when they're sitting idle in my projects folder.

RestoreGamesExplorer.ps1 is a classic case. It uses a common ACL technique to gain control of a file

Once someone has taught a security scanner this pattern is "bad", it thinks everything with that pattern is a threat. If I remove it from the quarantine, it'll get randomly flagged again sitting in my folder.

I am not at all worried with the false positive as I understand what garlin wrote in his previous post #1061 Just a heads up for Malwarebytes Users.

I got this today in Windows Security...

Hey Garlin I ran the new script again and noticed some new entries from the old script.

Under UEFI DB Certs I have
Compal_Test
F8V350-ITL

Any idea what this is about?

For reference I do have




PS C:\V2> powershell -nop -ep bypass -f .\Check_UEFI-CA2023.ps1 -audit -verbose
Windows 11 25H2 (26200.8037)

Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

BIOS Firmware
-------------
LENOVO 20VD
Version: F8CN59WW(V2.22)
Date: 2024-06-14

Factory Default UEFI PK Cert
----------------------------
Ideapad Products

UEFI PK Cert
------------
Ideapad Products

Factory Default UEFI KEK Certs
------------------------------
Microsoft Corporation KEK CA 2011

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

Factory Default UEFI DB Certs
-----------------------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Compal_Test
F8V350-ITL

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023
Compal_Test
F8V350-ITL

Factory Default UEFI DBX Certs
------------------------------
(NONE)
EFI_CERT_SHA256_GUID Signatures: 33

UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 7.0
EFI_CERT_SHA256_GUID Signatures: 437

EFI Files
---------
Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
\\.\HarddiskVolume1\EFI\Microsoft\Boot\bootmgfw.efi
File Version: 26100.30227, SVN 7.0

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

SkuSiPolicy.p7b is CURRENT.
\\.\HarddiskVolume1\EFI\Microsoft\Boot\SkuSiPolicy.p7b
Version: 3.0.0.13


AUDIT REPORT
============


STATUS REPORT
-------------
Registry: UEFICA2023Status = Updated

SUCCESS: UPDATES ARE FINISHED. UEFI CA 2023 certs are present, PCA 2011 cert is revoked.

PS C:\V2>


Thank you Garlin :)

JamesSmith said:

Hey Garlin I ran the new script again and noticed some new entries from the old script.

Under UEFI DB Certs I have
Compal_Test
F8V350-ITL

Any idea what this is about?

Click to expand...

OEM's are allowed to create their own set of KEK and DB certs for internal reasons. Some of these certs support UEFI-based remote monitoring or management features (ie. Dell or HP).

Compal is a major Taiwanese ODM (Original Design Manufacturer) that builds PC's on behalf of large brands like Lenovo. Lenovo designs the PC's, and Compal has responsibility for following manufacturing them to Lenovo's specs. For quality control at the factory, someone doesn't boot your copy of Windows and fiddles with the PC for a few minutes. Instead there are custom automation tools which boot and run a series of HW tests.

If your system has Secure Boot enabled (from the factory) then it can't boot a custom factory app unless that app is correctly signed by a registered cert in the UEFI DB. Should they clean that up before it appears in your hands? Sure. But as long as Lenovo doesn't mind...

Why do you see these certs when it was hidden before?

You remember when your Gigabyte-based PC wasn't correctly reporting certs as "Gigabyte"? In order to handle your case, I had to remove any filtering on the cert's identity. When the script was first written, I only listed the Microsoft certs because Windows is only concerned with MS-issued certs. Following that rule, you would never see Gigabyte at all.

The non-MS certs are now displayed in Verbose mode, but always filtered out on the default report for simplicity. I have no idea what "F8V350-ITL" stands for.

garlin said:

Just for fun... does this trigger anyone's security product? I rewrote Matt's function to fluster automated scanning.

Click to expand...

I just ran that script and Malware bytes or Windows Security didn't say a word. I checked the history and no mention of issues with it.

gunrunnerjohn said:

I just ran that script and Malware bytes or Windows Security didn't say a word. I checked the history and no mention of issues with it.

Click to expand...

Thanks. A human can still defeat a badly sourced AI (or heuristic engine) for now. As I suspected, they're feeding the scanner a steady diet of scripts from known Windows security experts so it cries wolf when it sees certain keywords.

The modded script works the same as before. All I've done is taken the "targeted words" and substituted other variable names in their place, and changed the script's formatting in that section. A really smart security engine would watch what actions the script is taking, before flagging it.

That way, you can't just fool it.

It's like having the authorities ban a book because it contains a recipe in English for "french fries", but it's not illegal if they're called "chips" or "frittes" or translating the recipe to a non-English language.

It's actually a little bit concerning that it's that easy to fool the security applications!

So,

HuntyFtw said:

Thanks for the reply. This is what my BIOS looks like:
View attachment 168102
Is it the option "Erase all Secure Boot setting"?

Click to expand...

The "Select an UEFI file as trusted for executing" option only accepts the efi files and not the certs (I checked that the 2023 certs are present in the EFI partition". How do I solve this?

Different BIOS'es can accept certain types of EFI files, and they don't all agree on the supported formats.

- A pre-signed X509 certificate file with a .der or .crt file extension
- A signed binary file with a .bin extension
- A signed binary file with an .auth extension

Your BIOS might take one of those options, however the script can only copy the .der & .crt files to the EFI. If those options don't work, you may have to Delete All Keys and enter Setup mode, so the update script can load the .bin files from Windows.

Here are my results with the "updated script", I don't get the "Windows Hello PIN" part. I guess that is because I don't have that activated on my computer.