Recent reports of Comodo / Sectigo Code Signing certificates used for malware contain numbers that are difficult to understand and may lead to false conclusions. In this post we clarify the numbers behind the reported malware signing.
Unfortunately, recent press reports suggest the incorrect conclusion that Chronicle reported nearly 2000 such certificates for Comodo / Sectigo. Since this story ran, we have investigated all of the certificates attributed to Comodo / Sectigo. More than 90% of these were expired, previously revoked, or duplicate reports. The breakdown is:
Previously revoked: 126
In process: 25
Active (now revoked): 127
Duplicate: These reported certificates match others that already have been logged in a different category. This duplication may owe itself to multiple uses of the same certificate or multiple reports of the same malware application.
Expired: These certificates had already expired as of this investigation.
Previously revoked: These certificates had already been revoked by Sectigo prior to this investigation. Certificates may potentially have been revoked for reported abuse or at the request of the customer.
In process: These reported certificates did not match our records of Code Signing certificates from Comodo / Sectigo during our investigation. We are continuing to investigate these certificates.
Active (now revoked): These certificates were active as of the investigation and are now revoked. As a matter of policy Sectigo revokes certificates used for malware and does not issue certificates to known abusers.