Why does windows installer needs to send information to crl.usertrust.com?

Niels · #1 November 22nd, 2008, 12:05 PM

Hello,

I hope that somebody can help me. I am using the firewall which is included in BitDefender Total Security 2009 and I saw a pop-up that msiexec.exe which is located in the system 32 windows subfolder that wanted to connect to . After a google search it seems that msiexec.exe is related to the windows installer. Why does it need to send information? I have blocked it. Can it cause any harm because I denied outbound connection for it?

Thanks in advance for answering,
Kind regards,
Niels

doktornotor · #2 November 22nd, 2008, 12:19 PM

To check the certificate the installer is signed with? And yes, it won't be able to verify the validity of the certificate if you block it.

Niels · #3 November 22nd, 2008, 12:25 PM

Hello doktornotor,

First I want to thank you for your prompt reply.
I wasn't installing anything at that moment. That is why I find it strange. Also normally windows installer is on my firewall white list so I assume that all necessary connections are allowed. Don't you think?

Kind regards,
Niels

doktornotor · #4 November 22nd, 2008, 12:33 PM

Well, the address contains Certificate Revocation List for the certificates issued by Usertrust Root CA. So... seriously, there's nothing malicious about this and there's absolutely no point in blocking such things.

Niels · #5 November 22nd, 2008, 06:47 PM

Hello doktornotor,

Thanks again. The reason why is was worried because msiexec.exe made an connection to different ip-addresses.

Kind regards,
Niels

JRViejo · #6 November 23rd, 2008, 08:22 PM

Niels, you could check to see if the Windows Installer service is set to Automatic, via your Control Panel > Administrative Tools > Computer Management > Services and Applications > Services.

If it is, set it to Manual (don't disable it) and the connection attempts should stop. If already set on Manual, you should scan that .exe via VirusTotal or Jotti's Malware Scan for a second opinion.

Niels · #7 November 24th, 2008, 08:56 AM

Hello JRViejo,

Thank you very much for your reply. I really appreciate it. The windows installer services is set on automatic. I verified the ip-adresses and they were located in America so it would have something to do with Microsoft.

Kind regards,
Niels

JRViejo · #8 November 24th, 2008, 02:40 PM

Niels, you should set the Windows Installer Service to Manual and such setting only means that whenever you install a new program, the service will prompt you.

You can further verify those IP addresses via Whois.DomainTools.com to insure that they are indeed Microsoft's.

Niels · #9 November 25th, 2008, 06:16 AM

Hello JRViejo,

Sorry but I have made an mistake the windows installer service is already set on manual. It might be that I forgot it that I already changed it.
Does there exists a list of Microsoft ip-addresses? I will see if I find it.

These were the ip-addresses:
205.234.175.175
64.71.134.246
But I never saw Microsoft mentioned. I also looked them up on the internet.

Kind regards,
Niels

doktornotor · #10 November 25th, 2008, 06:35 AM

There's no point in limiting the addresses to the range used by MS, it needs to verify certificates which are NOT issued by MS, so it needs to connect to various certification authorities. This is perfectly normal and nothing to troubleshoot or mess with. Leave it as it is.

Niels · #11 November 25th, 2008, 06:46 AM

Hello doktornotor,

Thanks again for your very useful information. Now it seems clear for me.
I now see that I didn't mentioned that I already removed the block rule that I created after that I read your reply. Infact I was thinking about limiting to which range ip-addresses msiexec.exe can connect but I will not do it because of your last reply.

Kind regards,
Niels

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search