RCC - check your system's trusted root certificate store

Discussion in 'other anti-malware software' started by svenfaw, Feb 28, 2015.

  1. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,151
    Could you elaborate on what you mean by that? No signature check of nssckbi.dll being triggered? No sanity checks on cert8.db to detect corruption? Something else?
     
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,725
    Quite interesting what it has found:
     

    Attached Files:

  3. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    930
    svenfaw, any plans to allow checking a non-booted system when run from another active system like WinPE?
     
    Last edited: Mar 25, 2015
  4. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    199
    Known issue:
    Make sure that Firefox is closed before running RCC - otherwise it will incorrectly give a clean report all the time. I will address this in the next build.

    I can't review and respond to all comments now due to lack of time, but will try to do so later this week.
     
  5. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    199
    @RJK3:
    RE Palemoon: I'll have a look, but it should be feasible! Added to to-do list.
    RE hashes: The OP is not editable anymore. :( This is another reason why I should get my act together and give RCC its own little web page.

    @Tarnak: Fixed in next build, thanks for reporting this!

    @TheWindBringeth: Yes, I mean that nssckbi.dll can be tampered / patched with malicious root certs and Firefox will still happily load it, whether the digital signature is valid or not. I reported this to Mozilla, but haven't heard back from them so far.

    @Adric: I will consider this later, as time permits.
     
    Last edited: Mar 29, 2015
  6. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,151
    Thank you for the clarification. I don't recall a previous report of that particular issue, but other reports and personal experiences were enough to prepare me to not be surprised by this.

    A script launched/processed sigcheck -q -e -s -c of the Firefox programs folder adds a trivial delay to Firefox startup on my systems. I haven't yet looked into script driven use of your tool, but I intend to :)
     
  7. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    Cheers :)
     
  8. girioni

    girioni Registered Member

    Joined:
    Mar 31, 2015
    Posts:
    11
    Just wondering, what are some other tools out there that scan root certificates for malicious items? Which of the big boys (BitDefender, McAfee, Symantec, etc) do it?
     
    Last edited: Mar 31, 2015
  9. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    199
    • OK, I could finally update the SHA256 hash in the OP
    • Build 157 is the first build with ASLR and DEP enabled.
     
  10. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,429
    I am not sure what you mean... As mentioned previously, I had run it on my XP system, but I don't think I was supposed to.

    Are, you saying it is OK, now... I can run this?
     
  11. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    199
    No, sorry, XP is not currently supported. What I did is fix the inconsistent behavior.
     
    Last edited: Apr 2, 2015
  12. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    199
    Last edited: Apr 2, 2015
  13. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,429
    That is what I thought...Thanks for the clarification. :thumb:
     
  14. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,097
    Location:
    UK
  15. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,097
    Location:
    UK
  16. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    199
  17. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,151
    Balance is better than burnout :)

    Not to encourage the latter, but in case you haven't yet come across it: https://sslbl.abuse.ch/blacklist/. A link itman kindly shared in another thread.

    Edit: I've come to question whether any of those are fingerprints you'd expect to see when scanning the certificate stores.
     
    Last edited: Apr 11, 2015
  18. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    199
    I wasn't aware of this, thanks.
    However these are regular server certificates (not root).
    But if they somehow get forcefully added to the trusted root store (even though it wouldn't make much sense) RCC would still detect them.
     
  19. JimmyJames321

    JimmyJames321 Registered Member

    Joined:
    Apr 6, 2015
    Posts:
    47
    Svenfaw, great useful app you've made. Thanks.

    360TS flagged on it, but I've trusted it. My certificates are clean. Thanks and keep up the good work !
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,869
    Location:
    The Netherlands
  21. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    199
    Thanks for your feedback, always appreciated! Once a final release is ready, I will report the false positive to Qihoo.
     
  22. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    199
    Yes, at this time the PowerShell dependency is needed, to get an exhaustive list of system-level trusted root certificates.
    It is not used to scan the Firefox store, though.
     
  23. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    199
    Here's a quick recap of the upcoming feature (wish)list, as it is currently. I'm not saying everything will be implemented, though - that will be heavily dependent on how much more time I can afford to spend on this. Perhaps I should consider turning it into a paid product, to make development sustainable.
    • Graphical user interface
    • Support for portable Firefox
    • Support for Palemoon
    • Support for Java cert store
    • Automatic signature updates
    • Multiple security baselines
    • Support for custom signature lists
    • Remove PowerShell dependency
    • Resident/guard mode
    • Information panel
    • Recommended action
    • Support for Windows XP

    Comments / suggestions welcome!
     
  24. CHEFKOCH

    CHEFKOCH Registered Member

    Joined:
    Aug 29, 2014
    Posts:
    395
    Location:
    Swiss
    Nice little tool!

    I don't see any reason to support XP any longer.

    Maybe you can add the following to the todo list:
    * Release the source on GitHub
    * Cyberfox support (already seems to work but it shows Firefox instead of the correct name)
    * Ability to store/backup/export the current state and add an import function
    * Blacklist should be check against the list if there is already a suspect certificate installed
    * Autostart/Scheduler option (command list option) to e.g. check daily/weekly/... if there are updates available
    * Re-scan option after an update/new/old certificates are removed
    * Donation function/option via a small button (about?) to continue the project
    * Re-write the logic that it first detect if any of the Browsers/Java/.. is running instead of run the program and show a failure while xyz is currently running ....

    Thanks, keep up your good work. :thumb:
     
  25. genieautravail

    genieautravail Registered Member

    Joined:
    May 6, 2012
    Posts:
    97

    Why ?

    XP is always installed on the majority of my computers !
     
Loading...