RCC - check your system's trusted root certificate store

Discussion in 'other anti-malware software' started by svenfaw, Feb 28, 2015.

  1. wildafrica

    wildafrica Registered Member

    Joined:
    Jan 15, 2017
    Posts:
    10
    Location:
    EU
    Hello Svenfaw, please can you help me with suspect certificates? I ran RCC and it found some "interesting" items. Thank you.
     
  2. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    195
    Sure, feel free to post the scan results.
     
  3. wildafrica

    wildafrica Registered Member

    Joined:
    Jan 15, 2017
    Posts:
    10
    Location:
    EU
    I do not know what I should post. 1 certificate is from Avast. But the second is something with name of my PC. I made repair installation windows now. There is something like that:

    Status : Scanned
    Object : HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D8D74871CA03F3C175BC9C349FC0D5C41A07959B\Blob
     
    Last edited by a moderator: Jul 2, 2017
  4. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    195
    Hmm this doesn't look like RCC output. Can you also post the RCC scan result?

    Meanwhile I could decode some of the information you posted, and it seems that the cert was generated on your machine on 2016-10-29.
    You could have a look at your Programs & Features control panel and check if any software was installed on that date (assuming it was not removed later on.)
     
  5. wildafrica

    wildafrica Registered Member

    Joined:
    Jan 15, 2017
    Posts:
    10
    Location:
    EU
    svenfaw

    It is not from RCC because I do not know where can I find log from RCC... The log is from Zemana. I have no software in Programs & Features installed about 2016-10-29. As I wrote you I have "clean" install Windows. I made Something like Factory reset. I choose option remove all. So I hope you understand because my English is not good.
     
  6. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,563
    The scan result of RCC should look like this:
    RCC_Scan Result.png
    You can copy the entries which are marked in red and post it here, as requested :)
     
  7. SouthPark

    SouthPark Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    282
    Location:
    USA
    Hi, Svenfaw,

    Could you have a look at my results please? The first two items reappear after I delete them and are probably related to software I run. However, the last cert in the list worries me a bit. Its properties say "TW Government," although I don't knowingly run any software or visit sites from Taiwan. (I'm in the USA. A scan with the standard baseline yields nothing suspicious.)

    -------
    *** Scanning Windows root CA store... (Baseline selected: RCC2_WIN_STRICT)

    Number of roots in trust store: 47
    Number of roots in trust list: 360 (last modified 2017-04-19)

    Number of 'interesting' items: 3

    24A40A1F573643A67F0A4B0749F6A22BF28ABB6B: VeriSign Commercial Software Pub
    Time of insertion: 2017-03-08 19:25:39 UTC

    23E594945195F2414803B4D564D2A3A3F5D88B8C: Thawt
    Time of insertion: 2017-02-09 23:58:53 UTC

    F48B11BFDEABBE94542071E641DE6BBE882B40B9: Government Root Certification Aut
    Time of insertion: 2017-06-09 22:20:39 UTC


    The items highlighted above have not been seen in widespread use and are not
    required by Windows. Consider removing them to reduce your CA trust exposure.
     
  8. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    195
    Hi,


    F48B11BFDEABBE94542071E641DE6BBE882B40B9 is not very commonly used for web server authentication.

    A more likely reason is that some files on your machine are authenticated by that root.
    By any chance, is your PC Asus or Acer? Both are Taiwan-based manufacturers.

    Or, another possibility is if you recently acquired a new device (such as a GPU, hard drive, motherboard, SSD, printer, smartphone, etc), some of which have Taiwan-made drivers.
     
  9. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    195
    Hi,

    RCC does not save log files unless you explicitly redirect its output.
    OK, so you have reinstalled your system from scratch already. In that case, not much information is available to go much further.
    If a similar certificate ever reappears, I would be glad to take a deeper look.
     
  10. SouthPark

    SouthPark Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    282
    Location:
    USA
    Thanks, Svenfaw -- yes, it's an Acer :D
     
  11. wildafrica

    wildafrica Registered Member

    Joined:
    Jan 15, 2017
    Posts:
    10
    Location:
    EU
    Svenfaw
    We do not understand each other. It is probably caused my English. I "reinstalled" (factory reset) PC but the certificate is in PC now.
     
  12. Cazotte

    Cazotte Registered Member

    Joined:
    Mar 8, 2016
    Posts:
    7
    Dear Svenfaw, there are lots (28!) of “interesting” items here. What’s your opinion of that?
     
  13. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    195
    OK, it was a misunderstanding indeed.
    More information would be needed to investigate:
    • Can you list the software you have installed in the first few days after the factory reset (if the list is not too big)?
    • What is your current security setup?
    • What is the brand of your PC?
    • Can you post the output of an RCC scan?
     
    Last edited: Jul 11, 2017
  14. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    195
    Hmm this actually looks like an RCC detection bug. Most of those certificates should be OK (or at least, MS approved - whether they are actually required on a typical system is another matter). I will further investigate and see if I can find a fix.
     
    Last edited: Jul 11, 2017
  15. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    195
    I have released a new version which has a fix for this issue. Do you get better results?

    Code:
     Version: 1.0.69.24
     SHA-256: 23fe54d37e5ac0e130992236c1be7a425d657da4b694bd34e78cf77319290dfb
    
     
  16. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,695
    Location:
    Mexico
    I get this hash:
    Code:
    SHA-256: EA15E66C6A3658FEBA2747E7830DAD27AB25B12656F82ADF5E082E22DD19C8FA
     
  17. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    195
    I had uploaded an older build, sorry... I have just fixed it - Should be OK now
     
  18. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,563
    Yes, it is :)
    RCC-1.0.69.24.png
     
  19. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,695
    Location:
    Mexico
    Got these results:
    Code:
    RCC 1.0.69.24 - (c) 2017 Firas Salem <@hexatomium> -  All rights reserved.
    For continued use, consider making a donation or purchasing a license.
    
    Scanning baselines available: 2
    Definitions updated: 2017-06-25
    
    
    ***   Scanning Windows root CA store... (Baseline selected: RCC1_STD_MSCTL)
    
    Number of roots in trust store: 35
    Number of roots in trust list: 362
    
    Number of 'interesting' items: 1
    
    D23209AD23D314232174E40D7F9D62139786633A: Equifax Secure Certificate Authority
                           Time of insertion: 2017-05-25 05:31:48 UTC
    
    
    The items highlighted above might represent a security risk. It is highly
    recommended to review their purpose, and distrust them if appropriate.
    
    
    Hit any key to quit.
     
    Last edited: Jul 11, 2017
  20. zagmarfish

    zagmarfish Registered Member

    Joined:
    Feb 27, 2017
    Posts:
    10
    Location:
    europe
    Me too. Equifax is the only one considered as a potential security risk. Yet, this certificate seems updated. Weird.
     
  21. SKA

    SKA Registered Member

    Joined:
    Aug 2, 2002
    Posts:
    160
    Seems this equifax cert is inserted by Google/when you check Gmail using an email client or via webmail (using a browser) .

    Gmail frequently rotates its mail servers /their SSL certs.

    Anyone knows how to delete this or other certs on a Windows 7 64 bit PC - what steps to do so ?

    Thanks
    Ska
     
  22. Cazotte

    Cazotte Registered Member

    Joined:
    Mar 8, 2016
    Posts:
    7
    Now it outputs 1 interesting item, which is
    Code:
    D23209AD23D314232174E40D7F9D62139786633A: Equifax Secure Certificate Authority
    Time of insertion: 2017-04-18 21:48:12 UTC
    What should I do?
     
  23. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    195
    The Equifax cert is based on weak crypto (RSA 1024) and was therefore revoked by its issuer in 2015.
    However, it seems that Microsoft has not removed it from their trust store yet, which is causing this confusion.
    As far as I know, it is no longer used by Google / Gmail.
     
  24. SKA

    SKA Registered Member

    Joined:
    Aug 2, 2002
    Posts:
    160
    Dear Sven

    Thanks for explaining this cert, how to remove it ? Wil it break anything ?
    What is puzzling is it was inserted only in 25/26 June 2017.

    Ska
     
  25. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    195
    The recommended way to disable it is to create a System Restore snapshot, then drag the certificate to your "Untrusted" store in certlm.msc.
    Based on my testing and research there is no negative impact to disabling it.
    I believe the recent insertion timestamp is due to an issue with the Microsoft CTL, which still includes that certificate, so it probably gets re-inserted with each automatic CTL update.
     
Loading...