RCC - check your system's trusted root certificate store

Discussion in 'other anti-malware software' started by svenfaw, Feb 28, 2015.

  1. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    195
  2. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,286
    Lucky you....I only have one computer. ;) Would be good to get it supported in XP.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,375
    Location:
    The Netherlands
    So what happens if you block PowerShell from running? Are the results of the scan not correct then? And BTW, a GUI would be nice.
     
  4. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,069
    Location:
    UK
    I think a donate button would be a good idea at this stage.
     
  5. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    195
    As of the current version, correct results should not be expected if PowerShell is blocked or not present.
    A GUI is on the to-do list!
     
    Last edited: Apr 20, 2015
  6. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    195
    Thanks, I will certainly consider this, or a paid (but affordable) edition with some extra features.
     
  7. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    195
    I've posted a new build, which includes the latest Mozilla cert list (updated April 21).
    See top post for the download link and updated SHA1.
     
  8. CHEFKOCH

    CHEFKOCH Registered Member

    Joined:
    Aug 29, 2014
    Posts:
    395
    Location:
    Swiss
  9. genieautravail

    genieautravail Registered Member

    Joined:
    May 6, 2012
    Posts:
    97
  10. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    2,109
    your point of view - but the majority of users a not familiar with any of options in system - one reason for installing any [d]crap[/d] antivirus software and got nuts:
    https://www.wilderssecurity.com/thre...r-ways-antivirus-software-lowers-your.375611/
    most of antivirus software do not detect most adware by default, some need to sharpen detection but that would cause other incidents.
    it depends by author which system he would supply - at least XP is dead for common users but with paid extended support there is nothing to moan. although i dropped xp support vor my small tools.

    @CHEFKOCH - ex-gulli?
     
  11. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,399
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,788
    Location:
    U.S.A.
    Question for svenfaw.

    When I run RCC on WIN 7 x64, SP1, it says the cert., Microsoft Time Stamping Service Root, is OK. This is the cert. issued to copyright (c) 1997 Microsoft Corp.. According to this Microsoft link: https://support.microsoft.com/en-us/kb/293781 that cert is only valid for WIN XP and 2000. Win 7 uses the Thawte cert. for time stamping.

    If I delete the root cert. in question, it reappears at next boot. Appears this is getting refreshed for the daily crypto download? Anyway any insight on this appreciated.
     
  13. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    2,109
    auto-refresh afaik is only available since windows 8 - it loads needed certs from microsoft and others.

    i checked my certs in windows 7 and i had plenty of revoked certs in the last tab.
    but interessting how many software install some certs but dont remove those, incl binisoft firewall control, pity and shame.

    rcc has not found any unusual after cleaning up.

    btw from time to time microsoft update delivers some root cert update.
     
  14. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,477
    Location:
    USA
    Running RCC /H I'm seeing this. Any thoughts about what might be problematic?

    RCC cert scan.jpg
     
  15. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    195
    @itman:

    This cert (SHA1: 245C97DF7514E7CF2DF8BE72AE957B9E04741E85) is still part of the Windows CTL (Certificate Trust List) and MCP (Microsoft Certificate Program), which is why it gets re-installed if you just delete it, and RCC doesn't flag it as dangerous.

    However, as you correctly noted, it is not technically required by your OS, and has furthermore expired 15 years ago.

    If you don't want to trust it, try this instead of deleting it: Open certmgr.msc while logged on as an administrator, and drag and drop the certificate to your Untrusted Certificates container. This should remove the trust, and block automatic re-installation when you reboot your PC.

    Incidentally, the automatic update and re-installation of root certificates is why the total number of root certificates that your machine effectively trusts is NOT what you see in certmgr.msc, which only shows what is currently cached locally. The way Windows handles root certs is rather misleading and has become overly complex IMHO.
     
  16. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,859
    Location:
    Outer space
    Yes, Kaspersky as well, uninstalled it a long time ago and I never even enabled HTTPS scanning.
     
  17. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    195

    I guess a bit more context would help us better understand these results.

    - Are you familiar with Scand.com? Do you use any products from that company? Can you think of a reason why they would need to add a root CA on your system? Also, it seems they are re-using the same private key across installations (as SuperFish did), which would be very bad.

    - I believe most of those certificates in your Firefox store are related to your COMODO Firewall installation. Although there does seem to be quite a lot of them.

    - The www.wilderssecurity.com cert is self-signed. By any chance, did you manually modify the trust flags for it?

    - By the way, are you sure this screenshot shows a run with /H? I would expect to see way more OS certs flagged - unless you did some serious cleanup already. (Please note that the /H parameter is case-sensitive)
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,788
    Location:
    U.S.A.
    Thanks. Already moved the cert. to Untrusted container.

    For what it is worth, I checked my CAPI2 log and I have been getting validation errors on that cert. for a while. Appears MS can't get their act together when it comes to their own certs. Also I have been getting Schannel event errors off and on for a while. Would not be surprised if they are due to that cert..
     
  19. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,477
    Location:
    USA
    Thanks for the reply. I've done some sorting; first off I discovered that I wasn't using the latest build of RCC - below is a screenshot with the results when running build 178 wit the /H switch.

    RCC output.jpg
    The Scand cert turned out to be related to an old Outlook plugin I no longer use, so I removed the cert. I did not alter the wilders self-signed cert. I'm not sure yet about all of the other "interesting" certs. As you noted I currently use the Comodo firewall plus I've used other Comodo software in the past which perhaps explains the Comodo certs?

    Generally if you remove certs will the OS and the browser reacquire them if necessary or does it break things?
     
  20. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    2,109
    instead posting pictures you can use the dos pipe from command console
    Code:
    rcc >rcc.log
    after some seconds hit <enter> again to - see below why
    possible result from file rcc.log in same folder as rcc.exe:
    Code:
    RCC 1.41 [build 178] - (c) 2015 @hexatomium - All rights reserved.
    For use in production and offline environments, contact cubaguy@gmail.com.
    
    Security baselines updated: Tue, 21 Apr 2015 19:35:46 GMT
    
    
    ***   Scanning Windows root CA store... (Baseline selected: RCC1_STANDARD_MCP)
    
    Number of root certificates currently trusted by this system: 337
    Number of unique root certificate thumbprints locally stored: 26
    
    [  OK  ]    Scan completed. No unusual root certificates found.
    
    
    Hit any key to quit.
    (same result with option /h)

    btw - i use firefox as portable - so it and profiles are not found at the regular path, is it possible to have an option for the profile path?
     
  21. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,477
    Location:
    USA
    Thanks for the suggestion. Would that be more informative then the screenshots?
     
  22. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    2,109
    the dos pipe detours all visible content to its target - here it is a logfile. content is same but much more simple to copy&paste and much smaller than images. it is also possible to use date and time (any that is possible with batch) to insert into name.
    source: http://blogs.msdn.com/b/bill/archive/2009/02/13/file.aspx

    but i could not make rcc to work with echo input pipe
    Code:
    echo Y| rcc >rcc.log
    it got stuck.

    some option for it would be nice instead waiting for "any key".
     
  23. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    195
    Just added in the latest build: "/y" switch: exit immediately after scan has completed.

    You can use the following trick/workaround to get RCC to scan portable Firefox:
    Locate and copy Firefox files "cert8.db" and "nssckbi.dll" to the same folder as RCC, then run RCC. (Note: This will only work with build 189 and onwards)

    To-do: documenting the command-line options...
     
  24. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    2,109
    i will do so, thank you :)
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,375
    Location:
    The Netherlands
    OK thanks, the reason I asked is because I refuse to run powershell.exe because of security reasons. But as a workaround, I ran it inside the sandbox with Sandboxie, and RCC didn't find any problems.
     
Loading...