Here's what happened with Release #65... (we're NOW at #66!)


Status
Not open for further replies.

PHolder

Well-known member
May 19, 2018
1,225
205
I use Chrome and had problems until I told Windoze to ignore sqrl.exe
Interesting. I believe that Chrome delegates file scanning to the OS while I don't think Firefox does so, perhaps that is the issue. The weird thing is then you would expect a problem when I went to launch the EXE as this is definitely handled by the OS... and I saw no issue. I have my OS configured pretty much as standard with respect to SmartScreen... So I am confused why we would have different experiences.
 

Dave

Well-known member
May 19, 2018
487
99
Gardner, MA
Interesting. I believe that Chrome delegates file scanning to the OS while I don't think Firefox does so, perhaps that is the issue. The weird thing is then you would expect a problem when I went to launch the EXE as this is definitely handled by the OS... and I saw no issue. I have my OS configured pretty much as standard with respect to SmartScreen... So I am confused why we would have different experiences.
Different degrees of experience/learning of the much-touted Microsuck AI?

Let's hear it for non-deterministic software!! Woo-hoo!!
 
Last edited:

Steve

Administrator
Staff member
May 6, 2018
1,016
307
www.grc.com
So, does this issuer check not work on Linux? Because while on my Win10 machine my only recourse was a manual install, on my Debian box it updated as normal, pretty as you please.
Right, Shane. Linux/WINE do not support the Authenticode API. So the already installed instance of the client is unable to check the signature of the "to be installed" update.
 

Steve

Administrator
Staff member
May 6, 2018
1,016
307
www.grc.com
Please ignore this if you've already answered this question and I've simply missed it, but what will prevent this from happening again in the future? There's almost no chance that you can expect a static Cert Issuer string in perpetuity. Once rolled out, you can no longer expect users to manually update.
Hi Rob,
So there are two issues here: The first is the change every three years of certificate. The second is the change of the cert signer.

What I need to do in the first case is to build trust and reputation in a second certificate WHILE the first certificate is still valid. It turns out that it IS possible to "dual sign" with Authenticode. So in (three years - minus x months) I will obtain a replacement certificate well in advance of this new certificate's expiration and I will begin dual signing. In that fashion the new certificate will become known while the old certificate remains trusted.

To deal with the second issue of a changing signer (which I =could= have done here if I'd been aware of the problem ahead of time): An update to the SQRL client would first be made that's aware of BOTH signers. (Our release #66 is now aware of both just in case I have any unexpected need to fall back to a non-EV cert.) We would need to wait a while for everyone's SQRL clients to be updated to the "dual awareness" release. Then the subsequent release could be made available under the new signer and it would be accepted.

This is obviously a bit fraught with peril... but given that any CA is able to mint an authenticode certificate, it's not at all inconceivable that someone, somewhere, could arrange to obtain a code signing certificate from a shady CA (it's happened before, as we know) with Gibson Research Corporation as its signer, then somehow arrange to get that into the "supply chain" -- most likely by compromising GRC or DNS. But adding the requirement that the certificate must ALSO be validly issued by DigiCert, and be an EV cert, before existing instances of SQRL will accept it. That seriously ups the ante.
 
  • Like
Reactions: RobAllen

Steve

Administrator
Staff member
May 6, 2018
1,016
307
www.grc.com
Also, this indicates that every update error screen needs a link to either the SQRL download page or the SQRL executable itself. Perhaps every error screen, anywhere, needs a link to a relevant SQRL page . Regardless of this particular issue, a large number of users will experience errors and will need some simple, understandable way to recover from them.
To this point, I agree. I'm going to take this as a valuable lesson (in several ways) and add a button to ALL of the installation error pages to take the user to a landing page at GRC. That way if or when something like this happens again in the future, I'll be able to quickly put up instructions to deal with whatever is going on at the time. :)
 
  • Like
Reactions: RobAllen

telstra

New member
Apr 9, 2019
1
0
If you are on Windows 10, you can open a WSL(bash) command line and download SQRL manually (wget https://www.grc.com/dev/sqrl.exe). Then run it with "./sqrl.exe" and it will bypass Windows Defender complaints. This is both helpful and scary.

Windows Defender and Trend Micro OfficeScan were both blocking the download and the execution until I did that. Using WSL, it sailed right through. 😳
 

Dave

Well-known member
May 19, 2018
487
99
Gardner, MA
@Steve, @Gang,

FWIW... Microsoft claims to have fixed it in Windows Defender...
Before:
AntiSpyware Signature Version: 1.291.2470.0
AntiVirus Signature Version: 1.291.2470.0

After:
AntiSpyware Signature Version: 1.291.2481.0
AntiVirus Signature Version: 1.291.2481.0


After removing the sqrl.exe exception, an explicit scan of sqrl.exe came up clean.
 

CVBoykin

Member
Feb 3, 2019
19
2
At first Defender would not let me download 66 using Edge. So I updated my Defender AV definitions and tried Firefox. It all worked and I am back. Defender even let SQRL find my SQRL id file and load it, so all appears well.
 

AlanD

Well-known member
May 20, 2018
128
23
Rutland, UK
Just tried an automatic update and it failed Code 8 as expected. Downloaded it and ran it manually, and Avast jumped in "Hold on we are just running a 15 second scan". It then told me that I had discovered a very rare file and it was submitting it for further analysis. If I try to run it, it pops up a warning, but will let me override and run it anyway.

Hopefully their "further analysis" will result in it being whitelisted.
 

Paul F

Well-known member
Apr 11, 2019
97
29
Toronto
I cannot find a Win 10 setting for Windows Defender to whitelist SQRL.exe downloads.
For manually downloading sqrl.exe, I don't know the definitive answer but this worked for me (Win 10-32 Ver 1709):
When you get the message "Windows Defender SmartScreen reported sqrl.exe as unsafe", click on "View Downloads" and in the past downloads list right click on sqrl.exe and select "Download unsafe file".

Now you can close Edge and (as described in other replies) make your way to Windows Defender Security Center -> Virus & threat protection -> Virus & threat protection settings -> Exclusions: Add or remove exclusions -> Add an exclusion : File

and finally browse to and select the sqrl.exe that you downloaded. I was able to run the downloaded sqrl.exe and have it install without further problems.
 

Hzy

Active member
Feb 27, 2019
38
6
Bama
no problem with new install (Win10 1809), but for my default/main identity (shown in top window bar as expected) my password is now "wrong". Also, 2nd test identity is not listed - no option to change identity at login. I logged in using the iOS app. It seems like my sqrl file is not being read correctly. what else explains this?
 

Hzy

Active member
Feb 27, 2019
38
6
Bama
hmm. reported problem was on a recent i3 HP consumer box. same update process on a very old AMD machine did not "forget" my password (which I have as the same on all devices) and also did not lose my 2nd/test identity. Ghost in the (i3) Machine?
 

Steve

Administrator
Staff member
May 6, 2018
1,016
307
www.grc.com
same update process on a very old AMD machine did not "forget" my password
Something weird is going on... since SQRL =cannot= "forget" your password. It's built into the identity file. Perhaps Caps Lock was on?
 

Hzy

Active member
Feb 27, 2019
38
6
Bama
you're right! I was the one that forgot... that I turned on Windows protected folders feature. sorry for the false alarm!
 
Status
Not open for further replies.