Secure daemon packaging & signing
ETW, WASAPI and raw-socket probing make the TeleVerify agent look like exactly the telemetry that endpoint-security suites flag as suspicious. The packaging flow below removes every cheap heuristic an EDR uses to score reputation — Authenticode chain of trust, least-privilege manifest, deterministic build provenance, and pre-submission to the major cloud AV reputation services.
Authenticode signing
# EV code-signing certificate on hardware token (eToken / YubiHSM) signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 \ /n "TeleVerify Inc." /a TeleVerifyAgent.exe
Least-privilege manifest
The agent runs as asInvoker — no UAC prompt, no Administrator token. ETW kernel-logger sessions are opened against a pre-existing NT Kernel Logger session created by an MSI-installed scheduled task, so the runtime binary never needs SeDebugPrivilege.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity type="win32" name="TeleVerify.Agent"
version="4.2.1.0" processorArchitecture="amd64"/>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<application>
<!-- Win10 + Win11 only; never request legacy Vista compat -->
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
</application>
</compatibility>
</assembly>Deterministic build provenance
EDRs penalise binaries with random PE timestamps and unstable section layouts. Stamp the build with the commit's UNIX time and emit a SLSA v1.0 provenance attestation alongside the installer.
- name: Build agent (reproducible)
env:
SOURCE_DATE_EPOCH: ${{ github.event.head_commit.timestamp_unix }}
run: |
cargo build --release --locked --target x86_64-pc-windows-msvc
llvm-objcopy --strip-debug target/.../TeleVerifyAgent.exe
- name: Generate provenance
uses: slsa-framework/slsa-github-generator@v2
with:
base-subjects-from-file: artifacts.intoto.jsonlPre-seed AV reputation
Before the installer ever hits a customer endpoint, push the signed artefact through every major reputation engine. This converts "first-seen executable from an unknown vendor" (instant quarantine on Defender ASR rules) into a known-good hash.
MSI installer (no NSIS, no self-extractors)
Self-extracting EXEs and NSIS stubs are the single largest source of false positives because they share entropy patterns with malware droppers. Ship a signed MSI authored with WiX, register the agent as a scheduled task triggered at logon, and never write to %TEMP%from the installer.
<Package Name="TeleVerify Agent" Manufacturer="TeleVerify Inc."
Version="4.2.1" UpgradeCode="d4b9...e2">
<MediaTemplate EmbedCab="yes" CompressionLevel="high"/>
<Feature Id="Agent" Title="Diagnostic Agent" Level="1">
<Component Directory="INSTALLFOLDER" Guid="*">
<File Source="TeleVerifyAgent.exe" KeyPath="yes"/>
<!-- Scheduled task runs as the interactive user, NOT SYSTEM -->
<util:ScheduledTask Id="TeleVerifyLogon"
Name="TeleVerify Agent"
UserId="INTERACTIVE"
RunLevel="LeastPrivilege"
Command="[INSTALLFOLDER]TeleVerifyAgent.exe"
Trigger="AtLogOn"/>
</Component>
</Feature>
<!-- Sign the MSI itself after build: signtool sign /a TeleVerify.msi -->
</Package>Capability declaration (Defender ASR-friendly)
Explicitly declare every sensitive API the agent touches so endpoint policies can be tuned once and forgotten. This list is published alongside the MSI for IT review.