CertLock enters into the victim\u2019s system by bundling itself with other free software. On an infected system, when the user tries to access their installed security software, they come across an error message saying that the access is blocked by Windows. The malware also blocks new installation of security programs in infected systems. Without any security, these systems are left defenseless and hence stay completely at the mercy of the attacker.<\/p>\n
CertLock manipulates the Windows feature of system certificates. These certificates are trusted by the operating system and can be used by applications to make themselves trustworthy. In this case, the attacker added certificates of the security software to a special registry of Windows, which prevents programs signed with that certificate from getting executed on the system.<\/p>\n
These certificates are added under the below registry entry:<\/p>\n
- \n
- HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates<\/li>\n<\/ul>\n
A certificate’s key is added to the above registry with a certificate value in a blob.<\/p>\n
Any software with certificates registered under the above key is not recognized as a trusted publisher and this prevents its installation or execution in the infected machine.<\/p>\n
![\"Fig](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/06\/CertLock.jpg\")
Fig 1. Added security vendor\u2019s certificates<\/figcaption><\/figure>\n Quick Heal Detection<\/strong><\/p>\n
CertLock does not affect the functioning of an installed Quick Heal product in a computer nor can it block any new installations.<\/p>\n
![\"certlock1\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/06\/CertLock1.jpg\")