Home>Knowledge Base>What Technologies does Duoseve use to Prevent Malware
Information
Article ID82
Created On7/20/2016
Modified7/20/2016
Share With Others
What Technologies does Duoseve use to Prevent Malware
Duoserve takes the security of our customers very seriously. Duoserve does guarantee that we do not explicitly or knowingly distribute malware with our software. However, we cannot guarantee or warranty that our software is free of malware at any given time. To date, we have not had any security issues with our software deployments. Like most organizations, we have had attacks on our systems but to our knowledge, none have ever successfully installed malware in the software we release. Our software may get distributed by third parties and in that process, the applications may get infected. We always recommend that you download our software directly from our website. What you see below is a guarantee that the downloaded file is coming from Duoserve, even if our website were to be compromised. The certificate used to sign the downloadable file is not reachable by hackers.





The software that we publish on our website is digitally signed in house.  The systems that we develop on are not public and we use “Authenticode” technology (see link below) to sign our software applications, so our customers can verify that Duoserve is the original author of the downloadable software.  From a legal standpoint, we cannot guarantee that any technology will completely protect us or our customers. A good example is the the OpenSSL Heartbleed bug. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. OpenSSL was depended on by some of the biggest organizations, websites, and government agencies, and yet was still compromised and needed to be patched.  If a security code base that was supposed to offer security to its users can be compromised, we find it misleading to state that anything can be 100% secure. Many companies tout their “unbreakable” security.  We do not prefer this tactic because it is counterintuitive to convince our customers that they should let their guard down.

In fact, we highly recommend that our customers do periodic security scans using powerful and modern anti-virus programs at least once a day. Most security applications offer an analysis of programs that are about to be executed in memory which adds a good layer of protection. We highly recommend you pass the links below to your security advisor and/or final decision makers to assess if the technologies we use offers sufficient security for your organization. For added security, we also recommend that you implement a network security appliance that filters internet traffic that is outgoing, in the event that an application tries to transmit private information on your compromised local systems.

Because of zero day vulnerabilities, we cannot legally guarantee or warranty that any website, product, and/or electronic transmissions are free from malware, viruses, or malicious code. We also do not guarantee that our systems will never be breached.  We do not believe in these false marketing tactics. Duoserve will ensure that we will do our best to keep our systems safe and try to isolate any vulnerability as soon as we are made aware of it.  We take our customers’ security seriously and would like you to completely read this article, so you can have knowledge about not just Duoserve’s software, but rather your overall security with any software you have or plan to install on your systems.

We highly recommend that any decision makers click and read the “Authenticode” hyperlink below. The “Authenticode” signing process is applied when our developers release the applications publicly.  In short, the “Authenticode” technology “reduces the risk of a Trojan horse” from being placed in the application AFTER deployment. The certificates issued that we use to sign our application require that we have a third party organization verify we are who we say we are. The certificate we use to sign our applications also offers a “chain” of trust back to known organizations or CAs (Certificate Authorities). These trusted chains cryptographically limit the capacity of a hacker to modify our application. If they modify the application code in any way, the “Authenticode” technology (if not flawed itself) will post a warning saying that the code has been modified and that it cannot guarantee it is from the original author. To be extremely clear, Authenticode does reduce threats AFTER the software has been deployed.  

Authenticode technology does not guarantee that the code that is signed is free from malware but rather that it comes from a verifiable party. It also does not verify that it is safe in its original form. So let’s say we have been unknowingly compromised before a code release, we may potentially sign something that is malicious and the “Authenticode” system will state that the application is from us, even though it may be unsafe or compromised.  Although this is rare, we still like to share this information so that our users know exactly how each technology protects them.  Education is the best tool for safety. One technique to ensure you are safe is to always run an application in an isolated test environment, if you feel that all the safeguards Duoserve takes are not enough for your organization. Many security experts and products can analyze how and what a software application does.  Many customers do not go to these lengths but if your organization is highly security critical then we highly recommend these approaches and further analysis. Anti-virus applications that you may use and we may use may not be enough but a manual professional analysis may fit your needs.

Some important security educational links:

Authenticode: https://msdn.microsoft.com/en-us/library/ms172240.aspx
What is Code Signing (general term of what Authenticode does) : https://en.wikipedia.org/wiki/Code_signing
OpenSSL (One of the biggest security issues in recent history): http://heartbleed.com/
What is a zero day vulnerability?: https://en.wikipedia.org/wiki/Zero-day_(computing)

We highly recommend that your organization implement a security policy that fits your needs. Security breaches can happen even after you download and install our file and can include a plethora of security concerns. Again, the Authenticode technology that we use along with your security technologies are the best way to prevent any attack on your electronic devices.

“Say NO to any company that offers or markets 100% security”
And
“Always check your windows/browser security prompts for Publisher Names