I once suggested a standalone script for the virus definition files only: viewtopic.php?f=3&t=4927#p15729
It featured a function VerifyFileSignature, which could be used again, with some modifications. An example script with a built-in test suite could then look like:
- Code: Select all
@echo off
setlocal enableextensions enabledelayedexpansion
rem file CheckDigitalFileSignatures.cmd
rem A short example script for the test of digital file signatures, using
rem a function VerifyFileSignatures.
rem Start of main program
rem Create a little test suite first
pushd ..\client\wsus
rem Create an unsigned file with some blind text
echo "Lorem ipsum dolor sit amet, consectetur adipiscing elit." > Lorem-ipsum.txt
rem Create a damaged copy of wsusscn2.cab by appending some text
copy wsusscn2.cab wsusscn2-copy.cab
echo error >> wsusscn2-copy.cab
popd
rem Running tests...
echo Verifying digital file signatures of Windows Update Agent installation and catalog files...
set DownloadFolder=..\client\wsus
call :VerifyFileSignatures %DownloadFolder%
echo.
rem The subdirectories of client\dotnet are tested separately from within
rem :DownloadCore. The directory dotnet should NOT be checked recursively,
rem although this might look convenient here.
echo Verifying digital file signatures for .NET Frameworks' installation files...
set DownloadFolder=..\client\dotnet
call :VerifyFileSignatures %DownloadFolder%
echo.
echo Verifying digital file signatures for C++ Runtime Libraries' installation files...
set DownloadFolder=..\client\cpp
call :VerifyFileSignatures %DownloadFolder%
echo.
echo Verifying digital file signatures for Windows Essentials 2012 installation files...
set DownloadFolder=..\client\wle
call :VerifyFileSignatures %DownloadFolder%
echo.
echo Verifying digital file signatures for Microsoft Security Essentials files (x86)...
set DownloadFolder=..\client\msse\x86-glb
call :VerifyFileSignatures %DownloadFolder%
echo.
echo Verifying digital file signatures for Windows Defender definition files (x86)...
set DownloadFolder=..\client\wddefs\x86-glb
call :VerifyFileSignatures %DownloadFolder%
echo.
echo Verifying digital file signatures for w61 glb...
set DownloadFolder=..\client\w61\glb
call :VerifyFileSignatures %DownloadFolder%
echo.
rem The main program may be quit with "goto :eof".
endlocal
goto :eof
rem Labels can work like functions, if they are called with "call". In
rem Microsoft speak, this creates a new "batch context". This batch
rem context can take positional parameters like a batch file. It is left
rem with "goto :eof". The script resumes execution after the command,
rem which created the batch context.
rem Start of function "VerifyFileSignatures"
:VerifyFileSignatures
echo Verifying download directory: %1
echo.
rem All tokens in the tabular output of sigcheck are already quoted.
rem They must not be double-quoted, or the comparison will fail. The
rem recursive option -s is not really necessary, if the full path to
rem the download directory is used.
for /F "skip=1 tokens=1,2 delims=," %%i in ('..\bin\sigcheck.exe /accepteula -q -c %1') do (
echo Path: %%i
echo Verified: %%j
echo.
if not %%j=="Signed" (
echo The digital file signature for %%i could not be verified.
rem remove the echo from the next line, if everything works fine
echo del %%i
echo.
)
)
echo.
rem End of function "VerifyFileSignature"
goto :eof
The script should be run from the directory wsusoffline\cmd or another directory at the same level.
Example results for the first section could look like:
- Code: Select all
C:\wsusoffline\cmd_new>CheckDigitalFileSignatures.cmd
1 Datei(en) kopiert.
Verifying digital file signatures of Windows Update Agent installation and catalog files...
Verifying download directory: ..\client\wsus
Path: "C:\wsusoffline\client\wsus\Lorem-ipsum.txt"
Verified: "Unsigned"
The digital file signature for "C:\wsusoffline\client\wsus\Lorem-ipsum.txt" could not be verified.
del "C:\wsusoffline\client\wsus\Lorem-ipsum.txt"
Path: "C:\wsusoffline\client\wsus\WindowsUpdateAgent30-x64.exe"
Verified: "Signed"
Path: "C:\wsusoffline\client\wsus\WindowsUpdateAgent30-x86.exe"
Verified: "Signed"
Path: "C:\wsusoffline\client\wsus\wsusscn2-copy.cab"
Verified: "Die digitale Signatur des Objekts konnte nicht bestätigt werden."
The digital file signature for "C:\wsusoffline\client\wsus\wsusscn2-copy.cab" could not be verified.
del "C:\wsusoffline\client\wsus\wsusscn2-copy.cab"
Path: "C:\wsusoffline\client\wsus\wsusscn2.cab"
Verified: "Signed"
Some messages by Sigcheck are localized. Then it would be interesting to see if this script also works in other languages.
