TeleVerify
Pro
ACTIVE PROFILESmart-Home IoT Jam2.4 GHz spectrum saturated by IoT devices
Deployment Pipeline

Secure daemon packaging & signing

ETW, WASAPI and raw-socket probing make the TeleVerify agent look like exactly the telemetry that endpoint-security suites flag as suspicious. The packaging flow below removes every cheap heuristic an EDR uses to score reputation — Authenticode chain of trust, least-privilege manifest, deterministic build provenance, and pre-submission to the major cloud AV reputation services.

Trust chain
Authenticode SHA-256 + RFC 3161 TSA
Runtime privilege
Standard user · no SYSTEM
Kernel surface
0 drivers · ETW user-mode only
Reputation seed
MS SmartScreen + Defender CSI
Step 01

Authenticode signing

PowerShell · signtool
# EV code-signing certificate on hardware token (eToken / YubiHSM)
signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 \
  /n "TeleVerify Inc." /a TeleVerifyAgent.exe
EV certificates earn immediate SmartScreen reputation, bypassing the multi-thousand-install warm-up window. Required for enterprise distribution.
Hash
SHA-256
Timestamp
RFC 3161 (counter-sig)
Step 02

Least-privilege manifest

The agent runs as asInvoker — no UAC prompt, no Administrator token. ETW kernel-logger sessions are opened against a pre-existing NT Kernel Logger session created by an MSI-installed scheduled task, so the runtime binary never needs SeDebugPrivilege.

app.manifest · embedded
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <assemblyIdentity type="win32" name="TeleVerify.Agent"
                    version="4.2.1.0" processorArchitecture="amd64"/>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
      </requestedPrivileges>
    </security>
  </trustInfo>
  <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
    <application>
      <!-- Win10 + Win11 only; never request legacy Vista compat -->
      <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
    </application>
  </compatibility>
</assembly>
Token
Standard user
Drivers
None
Outbound
443 only
Step 03

Deterministic build provenance

EDRs penalise binaries with random PE timestamps and unstable section layouts. Stamp the build with the commit's UNIX time and emit a SLSA v1.0 provenance attestation alongside the installer.

GitHub Actions · release.yml
- name: Build agent (reproducible)
  env:
    SOURCE_DATE_EPOCH: ${{ github.event.head_commit.timestamp_unix }}
  run: |
    cargo build --release --locked --target x86_64-pc-windows-msvc
    llvm-objcopy --strip-debug target/.../TeleVerifyAgent.exe

- name: Generate provenance
  uses: slsa-framework/slsa-github-generator@v2
  with:
    base-subjects-from-file: artifacts.intoto.jsonl
Step 04

Pre-seed AV reputation

Before the installer ever hits a customer endpoint, push the signed artefact through every major reputation engine. This converts "first-seen executable from an unknown vendor" (instant quarantine on Defender ASR rules) into a known-good hash.

Microsoft Defender
submit.microsoft.com/SecureBy default
Auto-cleared within 24h with EV signature
CrowdStrike Falcon
ts-api.crowdstrike.com/whitelist
Submit IOA exception + cert thumbprint
SentinelOne Singularity
Mgmt Console · Exclusions · Hash
Whitelist by Authenticode subject
VirusTotal Monitor Partner
monitor.virustotal.com
Continuous false-positive monitoring across 70+ engines
Step 05

MSI installer (no NSIS, no self-extractors)

Self-extracting EXEs and NSIS stubs are the single largest source of false positives because they share entropy patterns with malware droppers. Ship a signed MSI authored with WiX, register the agent as a scheduled task triggered at logon, and never write to %TEMP%from the installer.

WiX 4 · TeleVerify.wxs
<Package Name="TeleVerify Agent" Manufacturer="TeleVerify Inc."
         Version="4.2.1" UpgradeCode="d4b9...e2">

  <MediaTemplate EmbedCab="yes" CompressionLevel="high"/>

  <Feature Id="Agent" Title="Diagnostic Agent" Level="1">
    <Component Directory="INSTALLFOLDER" Guid="*">
      <File Source="TeleVerifyAgent.exe" KeyPath="yes"/>
      <!-- Scheduled task runs as the interactive user, NOT SYSTEM -->
      <util:ScheduledTask Id="TeleVerifyLogon"
          Name="TeleVerify Agent"
          UserId="INTERACTIVE"
          RunLevel="LeastPrivilege"
          Command="[INSTALLFOLDER]TeleVerifyAgent.exe"
          Trigger="AtLogOn"/>
    </Component>
  </Feature>

  <!-- Sign the MSI itself after build: signtool sign /a TeleVerify.msi -->
</Package>
Step 06

Capability declaration (Defender ASR-friendly)

Explicitly declare every sensitive API the agent touches so endpoint policies can be tuned once and forgotten. This list is published alongside the MSI for IT review.

ETW user-mode session
DPC/ISR timing via PerfInfo provider
Heuristic risk · Low — no kernel driver loaded
IAudioClient (WASAPI)
Read endpoint buffer padding
Heuristic risk · Low — read-only
ICMP Echo (raw socket)
RRUL unloaded baseline ping
Heuristic risk · Medium — sometimes flagged
GetIfTable2 / Wi-Fi WLAN API
Beacon / RSSI / channel collection
Heuristic risk · Low
WMI · Win32_PnPEntity
Enumerate USB-audio + BT endpoints
Heuristic risk · Low
HTTPS POST → telemetry.televerify.io
Encrypted upload of aggregated metrics only
Heuristic risk · None · pinned cert
Pre-release

IT-deployment checklist

References
Microsoft Authenticode specification · WiX Toolset v4 · SLSA v1.0 build provenance · Microsoft Defender ASR rule set (Sept 2026) · CrowdStrike Falcon IOA exception API v3 · VirusTotal Monitor partner program.