cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
MarkjSBS
Level 2

PCI compliant file size verification

I am in the middle of my PCI-DSS audit and the qsa is asking how I verify that the binaries have not been modified in my installer package. We build the installation package and post to our web site. The customer downloads and installs. PCI is looking for a check the customer can do to verify the file has not been manipulated and malware added. We can use a MD5 tool on our end to create a hash and they can run the same tool on the installation package but this is to much work for everyone. Does installshied have a way to check for mods to the installer package at run time?
Labels (1)
0 Kudos
(1) Reply
MichaelU
Level 12 Flexeran
Level 12 Flexeran

This (the verification; I'm unsure about the specific audits) is often done with digital signatures, and works most simply when you build a compressed setup as only the outermost file (your.msi or setup.exe) signature must be verified. Generally when a file is downloaded with IE, it gets marked to present and have the user verify this information, as well. Of course this is even more obvious on Vista and later with UAC prompts.
0 Kudos