RCC - check your system's trusted root certificate store

Discussion in 'other anti-malware software' started by svenfaw, Feb 28, 2015.

  1. haakon

    haakon Guest

    You're lucky. I get this (note the scroll bar):

    RCCstrict.jpg
     
  2. itsmeWario

    itsmeWario Guest

    Wow. The Government cert looks very suspect to me.
    What Windows did you use? (I use Win7 Pro SP1 x64)

    Can we remove all certs /strict found, without get problems?
     
  3. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    291
    "Starfield Services" is Amazon. Do you use Amazon AWS?
    If not, you can remove it. The other two roots are old Microsoft stuff (not used by any modern Windows version) and can be removed. Removing/distrusting these certificates is not known to have any negative impact. However it would be wise to create a system restore point first, just in case.
     
  4. itsmeWario

    itsmeWario Guest

    I don't use any Amazon stuff.
    Thanks for your answer! I will follow these steps.
     
  5. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    291
    This is correct, Windows trusts many obscure/rare root CAs, often with no good reason. In "strict" mode, RCC accurately detects them, but I'm working on another tool that will make analyzing and managing trusted roots much more convenient.
     
  6. flatfly

    flatfly Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    71
    Download page has finally moved to an HTTPS host. Good! :thumb:
     
  7. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,131
    Location:
    Baden Germany
    Same here, tons of certificates, way to many to audit manually.

    Eagerly waiting...
     
  8. haakon

    haakon Guest

    There's something so warm and fuzzy about a trusted root cert from DIRECCION GENERAL DE LA POLICIA. Which expires in 2036. :D

    Ditto on the eagerly awaiting.
     
    Last edited by a moderator: Aug 15, 2016
  9. haakon

    haakon Guest

    Ditto on Hitlihome's "eagerly awaiting."

    @ all members so inclined to comment:

    I was thinking about outputting the RCC /strict data to a readable file and then just drilling through the cert mmc and deleting the most obvious "bad looking" ones.

    Good idea? Yes, no... Thanks.

    BTW - Win7x64
     
  10. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,131
    Location:
    Baden Germany
    I'm not going to delete, or disable any of the certificates, found in strict-mode, until I have evidence of evil.
    Here is a list of my report.
    If anyone wants to comment, or audit, feel free to do......

     
  11. Gapliin

    Gapliin Registered Member

    Joined:
    Feb 12, 2012
    Posts:
    81
  12. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    291
  13. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    291
    Just picking out a few interesting cases:

    Code:
    1. 3BC49F48F8F373A09C1EBDF85BB1C365C7D811B3: SecureSign RootCA11   
    2. D2EDF88B41B6FE01461D6E2834EC7C8F6C77721E: Class 3 Primary CA   
    3. 9C615C4D4D85103A5326C24DBAEAE4A2D2D5CC97: KEYNECTIS ROOT CA  
    4. 23E594945195F2414803B4D564D2A3A3F5D88B8C: Thawte Server CA         
    5. 2AC8D58B57CEBF2F49AFF2FC768F511462907A41: CA Disig                
    6. D8C5388AB7301B1B6ED47AE645253A6F9F1A2761: SwissSign Gold CA - G2 
    
    1,2,3: these were all inserted on 2016-01-26 18:45:23 UTC: perhaps you could see if there is some software installation that was done at that time
    4,5: these were both inserted on 2016-04-28 10:06:28 UTC: again, possibly due to some software install (Slovakia based?)
    6: a likely reason for this one could be if you use a Switzerland-based Web service - does that make sense?
     
  14. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,131
    Location:
    Baden Germany
    @svenfaw :
    THX for having a look in it.
    No software installation on one of the dates, at least non that I kept.
    I'm not using any Swiss web-service, a least non that I pay for, or are aware of.

    What's even more irritating, the vast amount of certificates inserted at 2015-11-30 10:16:05 UTC
    No software installation, nor Windows updates, on this date...
     
  15. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    291
    That's about the time the problem with Zemana occurred. Probably (directly or indirectly) related to that.

    Generally speaking, these are the most common ways that new roots can get inserted in the Windows cert store:
    - SSL handshake (check browsing history)
    - Software installation (check event logs)
    - Windows autoupdate (check event logs)
    - GPO (check event logs)
    - VBS / PowerShell script
    - Certutil.exe
    - Malware
     
  16. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    291
    It's now part of the MS CTL, but is not used in the wild and increases your system's trust exposure.
    In fact RCC should only detect it when using the "strict" profile. This will be fixed in the next release.
     
  17. share98

    share98 Registered Member

    Joined:
    Dec 5, 2004
    Posts:
    36
    I ran this app today and below is what I received. What surprised me is that this was a brand new profile. First time on a clean machine and first install of FF (both release 48 and release 49b10). Any thoughts? Thank you.



    RCC 1.69.010 - (c) 2016 Firas Salem <@hexatomium> - All rights reserved.
    For continued use, consider making a donation or purchasing a license.


    Definitions updated: 2016-09-03

    *** Scanning Mozilla Firefox root CA store...

    SSD1: Symantec Class 3 Secure Server CA - G4 (in cert8.db store)

    SSD2: avast! Mail Scanner Root (in cert8.db store)

    SSD3: avast! Mail Scanner Root (in cert8.db store)

    SSD4: avast! Mail Scanner Root (in cert8.db store)

    SSD5: avast! Mail Scanner Root (in cert8.db store)

    SSD6: avast! Mail Scanner Root (in cert8.db store)

    The above root certificates are not part of an ordinary Firefox installation.
    While this does not always indicate a threat, they should be carefully reviewed and disabled if necessary.
     
  18. guest

    guest Guest

    This seems to be inserted from one of your Avast!-Products.
     
  19. share98

    share98 Registered Member

    Joined:
    Dec 5, 2004
    Posts:
    36
    Well a couple of things - this was a clean install of Windows and Firefox. I do not have Avast installed. I did a search on all files including the registry and have not found an occurrence of "avast!". I went through cert8.db with a hex editor and found nothing. Just plain strange.
     
  20. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    291
    Not much time to respond right now, but a few thoughts come to mind.

    • Are you using Firefox Sync?
    • Make sure you don't have multiple cert8.db files on the system.
    • Were you using Avast products in the past, or on other machines?
    • Try renaming or deleting the cert8.db file to let Firefox create a new one, then scan again.
    • Did you post the full RCC output? If so, it seems RCC was not able to scan your OS roots for some reason.
    • Do you have any HIPS/anti-executable software installed?
    • What version of Windows is it?
     
  21. share98

    share98 Registered Member

    Joined:
    Dec 5, 2004
    Posts:
    36
    I deleted both cert8.db files - Mozilla and FossaMail. I then recreated the files and ran the program again. Magic. The problem is gone. Is it possible that simply visiting a web site I could get invalid certificates? For right now the problem is gone I will keep an eye on it. Thank you for your time.
     
  22. sm1

    sm1 Registered Member

    Joined:
    Jan 1, 2011
    Posts:
    570
    Hi, I got two warnings. I didn't install anything during that time:doubt:. But a few hours before that windows 10 was downloading some update (found using resource monitor) though it didn't list any.
     

    Attached Files:

  23. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    291
    @sm1:

    Do you have McAfee software running on that machine? It seems a recent McAfee automatic update is the most likely culprit. Check the below article:

    https://kc.mcafee.com/corporate/index?page=content&id=KB87705

    In a nutshell, these 2 CAs are intermediates, not roots. RCC detects them because they appear to have been misplaced in your machine root store.
     
  24. sm1

    sm1 Registered Member

    Joined:
    Jan 1, 2011
    Posts:
    570
    @svenfaw thanks for the link:) I had mcafee installed till yesterday. Might be the uninstall did not remove the certificates. But I wonder how it got installed after I removed mcafeeo_O? Might me it was not uninstalled properly and some mcafee components were updating. I had to try their removal tool and manually remove these certificates.
     
  25. itsmeWario

    itsmeWario Guest

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.