RootIQ - A smart root certificate scanner and manager for Windows

RootIQ is a new and powerful solution for managing your trusted root certificates on Windows.


It offers a number of unique and powerful features:

• Provide an accurate view of roots trusted by your system (unlike certmgr / certlm.msc which only show currently cached roots)
  
  
• Run exposure analysis to identify suspicious and dormant roots (More detailed reports are on the todo list)
  
  
• Reduce exposure to unneeded roots by apply stricter root sets, such as Google/Mozilla trust stores
  
  
• View accurate country and owner entity information for each root, so you can further minimize your attack surface by distrusting unneeded ones

After years of development, a limited beta release is now available at www.metasudo.com.

It was initially inspired by the RCC tool (for those who remember it!), but is much more powerful in many ways. More information at www.metasudo.com.

The first commercial release (with regular signature updates) will be available soon.

 

@svenfaw

Very limited "Windows" target.

 

Flagged as trojan by Windows Defender:

 

It's a false positive, as it's got zero detections at VirusTotal. I can't link to the scan results as that's prohibited here, but you can test it for yourself it you want.

 

Microsoft seems to be the only one detecting it.

 

Thanks, I checked so I allowed it in Windows Defender, then VoodooShield chimed in.

 

Oh? You tested it with all known or at least the most commonly used security scanners? So Kaspersky, Malwarebytes, Norton, McAfee, Avira/AVG, Panda, TrendMicro, ESET, BitDefender, and all the others just let the program have free access? Wow! That's not good.

If an unknown program starts scanning and analyzing root certificates on any of my computers, I expect and want my security programs to start waving red flags!

Good for Microsoft Defender (and VoodooShield too)!

I think it important to note 2 things,

1. This program claims to quickly identify and distrust "unnecessary" and "unneeded" root certificates.
2. It is a "Beta" program and as noted on the "Pricing" page, it says, "Do not use on critical systems."

Not sure I want a 3rd party app telling me what is "unneeded" on my systems. I recommend that advice be heeded.

Personally, I believe Microsoft is the best authority and source for a tool to verify root certificates installed on Microsoft operating systems are legitimate. Therefore, if I feel the need to verify root certs, I'll stick with Sigcheck, written by the venerable Mark Russinovich and is a part of Sysinternals Tools. I like how it also provides the option to verify with VirusTotal, and of course, Sigcheck is "free".

Since W10 currently has 75% of the Windows market share globally, not sure I would say it is "very" limited.

 

That's based on a VirusTotal scan, which just scans files without launching them. So it does not test the behaviour based protection of antiviruses.

The detection from Microsoft was a false positive, which has been fixed now. As of right now, it's only detected at VirusTotal, by CrowdStrike Falcon, an AI based scanner which has issues with false positives.

I tested it against the following five antiviruses to see what alerts - if any, I would get when actually running RootIQ.

• 360 Total Security
• ESET Internet Security
• Kaspersky Security Cloud Free 2021
• Norton AntiVirus Plus
• Trend Maximum Security

Of the five antiviruses, four of then let it run and scan the root certificates with no warnings. The only antivirus which prevented it from scanning root certificates was Kaspersky. It let RootIQ launch, but as soon as I clicked the Analyze button, Kaspersky immediately terminated RootIQ, with no alerts or notifications at all.

As per my next post, it turns out that Kaspersky did not terminate it. It must just be a bug in RootIQ.

It's not actually an app I have a use for, but I thought it would be interesting to run it and see if any AVs detected it.

 

Reading certificates shouldn't be a red flag. Writing new certificate or editing current certificate should be.
Anyway not everybody runs AV on every computer they have for whatever reason they have. I guess this program is written for that scenario or for post-malware-detection analysis of OS.

 

That makes sense.

I've done some testing with more antiviruses and none flagged its behaviour. It turns out that Kaspersky did not terminate RootIQ, it's just a bug in the program. It also terminated with Kaspersky disabled.

 

"Scanning and analyzing" is what I said, not "reading". IMO, just "reading" is harmless, regardless what is doing it. But "analyzing" means this scanning program is running in memory and doing some serious snooping around. And since root certs are of significant importance, in terms of security, I think it important to be informed when that is happening.

Waving a red flag is just that, a warning of potentially "suspicious" behavior. The user should be informed but then given the option to proceed, or terminate before any changes, like writing new or modifying old certs, or any "phoning home" occurs.

Whoa! If you are suggesting "exceptions" should be made for those who are foolish enough to connect to the Internet without any AV whatsoever, then I totally disagree. If someone thinks they are so much smarter than the bad guys and therefore have a "it can't happen to me" attitude that they purposely disable all security, they are on their own!

 

A false positive is a false positive. I don't desire to ever see one. Calling it unknown is fair. Even blocking execution until it can be evaluated is fair. I would think flagging unknown programs as a trojan would be grounds for a lawsuit.

 

Nah! Not unless the target item can show the scanner knowingly tagged a safe program as malicious. So the safe program would have to show it has no malicious or nefarious intentions and it would have to show the scanner knows it is safe but tags it anyway.

 

I disagree. It would not be hard to demonstrate your program is not malicious. The scanner would not have to be guilty of knowing it was safe but tagging it anyway. Calling it a trojan without verifying it is a reckless thing to do when it is incorrect. Ideally someone like Microsoft should be seen as credible and could destroy the reputation of a small software company by making such an accusation. They should just tag it as unknown and if they want to block execution until it is known then so be it. You don't walk down the street and point out people as criminals just because you don't know them and they could be.

 

You can disagree all you want but that does not change the facts or reality or the law. There has to be "intent".

Reality and the facts are this - false positives happen all the time. In fact, they are so common that the anti-malware program testing laboratories have testing criterial and ratings and scoring categories specifically for false positives. If it was so easy, as you suggest, to sue the scanner, it would be happening all the time. But it is not. And why? Because there has to be "intent" to falsely accuse another of evil doings. "Mistakenly" accusing another of evil doing is not showing intent, thus, it is not illegal or grounds for a lawsuit.

And again, the facts are, no anti-malware program maker wants false positives either.

Exactly! So if they can prove the program is not malicious, and if the anti-malware program then refuses to fix the false positive (thus showing intent), then there may be grounds for a lawsuit.

 

RootIQ is not widely spread, is beta, analyses the Window root certificate store,
and is not digitally signed.
So what?

 

I assume SmartScreen did just that when it attempted to execute. That is unless it was disabled from doing so.

 

I am trying to figure out what this product provides that SysInternals SigCheck utility does not. A GUI perhaps?

 

They should tag it as unknown only if they don't recognize it. But in this case, it matched the signature/pattern of a specific threat, the "Trojan: Script/Wacatac.B!ml". So no, MS did the right thing by tagging it as it was identified.

They also did the right thing by quickly updating their databases to allow this program through, as Roger reported. I don't see how MS could be expected to do it better. The timestamp of the RotIQ.exe is 10/3/2020 - a Saturday night in whatever timezone the author is in. And Roger reported it fixed at 12:45AM today (my time) which is 10:45PM Sunday night Redmond time. That's pretty quick if you ask me - especially over a weekend - not to mention during COVID when 1/2 of the West Coast is on fire.

But of course, some expect nothing short of divine perfection from Microsoft, 100% of the time, day in and day out, year after year.

 

Because everyone else did.

 

So much conjecture...

Since I still have the file:

 

Hah. Bahh! Not THAT many.

But from the perspective of where Microsoft used to be and picked clean apart, as well as breached like sunday soap, then yes, Microsoft WD perfection is as best as it ever is been and continuing strides along those better lines.

Sorry couldn't resist that wide open window

 

I know you said analyzing, but I don't see how would they differ, because after reading files into process memory AV doesn't really know what is happening with data.

Windows allows other programs to read certs, so they don't have to manage their own cert stores just to do TLS connections. Even Chrome on Windows uses that (although they have some additional blocklist they filter certs through). Certs are public. Every program run on user accounts including elevated-Administrator, non-elevated-Administrator and standard user account can read certs.

 

Sorry, but I don't understand what you mean here. Most antimalware programs do indeed monitor what is going in memory - that is virtual memory (RAM plus the Page File data). That is how any antimalware solution worth its salt does behavior monitoring. They don't just rely on signature/definition files.

(1) That's not true. See Tarnak's post #6 above and note VoodooShield tagged RootIQ too.

(2) That's bad logic. Besides the fact we all know Windows Defender was not alone (and see VirusTotal below), it is bad logic to assume it is not possible for only one security program to be correct. Again, if we refer to the results of antimalware testing labs and, it can be seen that it is common for even the best solutions to miss threats.

If it were that easy to get it right 100% of the time, the entire world could just use the same one security program and be safe 100% of the time.

(3) Clearly this new "beta" version of RootIQ was not scanned with "every" program when it was first released. There could have been others but, like Microsoft, they already corrected it. It could have been just good timing by Tarnak. Point is, we don't know - but we do know to suggest WD was the only one was just an assumption based on biases dictating beliefs, not facts. ​

And the fact is Virus total results removed as per forum policy still this morning shows that CrowdStrike Falcon does not like RootIQ.exe either. So that is at least 3 different security programs that have alerted on this. So clearly "NOT" everyone else did!

It should be noted that Trojan:Win32/Wacatac.B!ml is a bit of nasty malware. And it is important to note that the bad guys are constantly modifying (mutating) existing malware for the sole purpose of disguising it enough so antimalware scanners skip over it. A lot of malware is self-mutating to avoid detection. Clearly, RootIQ presented enough characteristics of that Trojan to cause WD's, VoodooShield's, and CrowdStrike Falcon's ears to perk up.

It has been suggested it is a bad thing if only one, and not all scanners alert on a program. When dealing with a just released new program, it is not. In this case, it does appear to have been a mistake. A mistake Microsoft quickly corrected. Had Microsoft failed to promptly fix it, that would then be a bad thing.

To be clear, I am NOT suggesting false positives are acceptable. They are not - ever. But I am saying they are inevitable and upon occasion, unavoidable. And they sure are a whole lot better than false negatives!

How true.

 

I would say this software is malware free.

Scanned it on OPSWAT. Only Webroot SMB via static scanning detected it as malicious. Problem is Webroot SMB also detects everything as malicious. Dynamic scanning there that ran forever came up clean. Also note that OPSWAT also uses Kaspersky and Cloudstrike. Don't know why an installed version of these detecting anything but must be a FP.