RCC - check your system's trusted root certificate store

This is exactly the kind of thing that should be merged into the autoruns tool in my opinion.

 

I respectfully disagree. What does this have to do with automatically-starting processes?
But I can see it being part of one of those "Internet Security" suites.

 

Autoruns is not just about automatically running processes.

 

@svenfaw, can you comment on these results? (It's an online-sandbox.)
Especially I'm talking about:

• Modifies proxy settings
• Contacts server (63.236.252.122, 172.227.13.245, 104.74.13.76, all of them belonging to Akamai CDN)

The other signatures are legit imo and not unexpected.

 

RCC does not contain any networking code, so something seems to be very wrong with these results. Have you tried other sandboxes?

EDIT: This sandbox service does not seem to be very reliable. Look at the below scan of pestudioprompt.exe (a well-known tool by Marc OCHSENMEIER) for instance: you will find the same strange 'network traffic' results. Too bad the report does not provide network captures, that would've been interesting.

https://www.hybrid-analysis.com/sam...edef37ad17eb0?environmentId=3#network-traffic

 

Actually it does (the "network.pcap" file).

 

Actually it does. Just at the top it says "Download PCAP".

I have also checked the VirusTotal report and it shows me this IP: 104.41.150.68
"nslookup" tells me "time.windows.com" uses this IP. Or actually "time.microsoft.akadns.net" does. Which is a domain used by Akamai. Mystery resolved, I say.

I guess .NET is syncing the time using NTP (port 123 with UDP). Though I did not yet look up the PCAP with Wireshark.

Edit: Woops, flatfly was faster...

 

"signature database appears to be out of date" I assume a paid version would include auto-updating?

 

Sure it would. However at this time I am not sure when, or even if, such a version will be released. I'm unfortunately sick currently, and need to slow down a little. I'll see if I can build and release a new minor version with updated signatures soon, though.

 

Version: 1.48 (build 196) is now available.
- Updated baselines
- Now also attempts to detect root certs that are capable of local HTTPS-injection / MitM (beta)

 

Excellent svenshaw and thank you...Do take care of yourself, I hope you can overcome your health issues soon...I will just check from time to time for news, I know you'll post when you have any and if you do ever make a pay for version I'll definitely buy it.

 

I just read about this:

http://hexatomium.github.io/2015/06/26/ms-very-quietly-adds-18-new-trusted-root-certs/
https://ma.ttias.be/the-broken-state-of-trust-in-root-certificates/

 

Thanks for the nice words, very appreciated - and sorry that I can't currently attend to this thread as I much as I would like.

 

Version 1.48, posted today, takes these changes into account.
However RCC will keep flagging these new certificates until they are fully acknowledged in the MS MCP official list.

(BTW, the first link you've mentioned is my own blog, in case this is not very clear)

 

It seems that there's a problem with RCC on my computer. It would pop up a console

RCC 1.49 [build 204] - (c) 2015 @hexatomium - All rights reserved.
For use in production and offline environments, contact cubaguy@gmail.com.

Security baselines updated: Sun, 28 Jun 2015 07:41:19 UTC


*** Scanning Windows root CA store... (Baseline selected: RCC1_STANDARD_MCP)​

and then disappeared itself without any alert.

System: Windows 8.1 Enterprise
Version: 1.49 (build 204)

 

Just want to say working fine on Win 8 x32.

 

The most likely cause for this issue is if PowerShell is missing or blocked. Can you check that?
As noted in the OP, RCC currently relies on PowerShell for the initial certificate store enumeration.

 

Yes it was clear to me, thanks.

 

Great tool, I would like to run this remotely throughout my Environment. What would be the best way? psexec is not working, are there any switches I can implement?

 

Thanks for your feedback!
Currently, scanning remote machines is not supported, but I will look into it (as time permits.)
In a domain environment, a simple alternative solution could be adding a line like this to your logon or startup scripts:

Code:

\\server1\AuditingTools\RCC\rcc.exe /y > \\server1\AuditingTools\RCC\Logs\%computername%.txt

However, do keep in mind that the certificate signature database embedded in RCC does not currently auto-update, and can eventually get obsolete. I will change the way this works in the future, though.

 

OK, Microsoft has been a little sloppy at maintaining their official documentation lately, so I think it's time for RCC to start using the currently deployed Windows CTL (349 entries as of today) rather than the outdated "official" MCP member list (413 entries, last updated almost a year ago) as its default baseline.

A new release will be available within a few days.

 

Finds something wrong with a Adguard CA

 

This is flagged as unusual (though not necessarily "wrong") because Adguard technically performs a MITM attack to decrypt and filter your HTTPS connections. Have a look at this page:
https://kb.adguard.com/index.php?/K...rt-for-https-connections-in-portable-browsers

Note that if you already know and are fine with that, then no action is required. Actually, a number of other security products also use that technique - even though whether this is a good idea or not is open to debate.

 

"Filtering support for https-connections in portable-browsers"

And so they use same implementation for IE 11? It is not a portable browser.

 

when I disable that function in adguard I get same results from rcc