@@ -5705,8 +5705,15 @@ int cli_checkfp_pe(cli_ctx *ctx, uint8_t *authsha1, stats_section_t *hashes, uin

         }

         if (EC32(cert_hdr.length) != hlen) {

-            cli_dbgmsg("cli_checkfp_pe: unexpected authenticode data length\n");

-            return CL_VIRUS;

+            /* This is the case that MS13-098 aimed to address, but it got

+             * pushback to where the fix (not allowing additional, non-zero

+             * bytes in the security directory) is now opt-in via a registry

+             * key.  Given that most machines will treat these binaries as

+             * valid, we'll still parse the signature and just trust that

+             * our whitelist signatures are tailored enough to where any

+             * instances of this are reasonable (for instance, I saw one

+             * binary that appeared to use this to embed a license key.) */

+            cli_dbgmsg("cli_checkfp_pe: MS13-098 violation detected, but continuing on to verify certificate\n");

         }

         at = EC32(dirs[4].VirtualAddress) + sizeof(cert_hdr);