RCC - check your system's trusted root certificate store

Discussion in 'other anti-malware software' started by svenfaw, Feb 28, 2015.

  1. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,912
    This is exactly the kind of thing that should be merged into the autoruns tool in my opinion.
     
  2. girioni

    girioni Registered Member

    Joined:
    Mar 31, 2015
    Posts:
    11
    I respectfully disagree. What does this have to do with automatically-starting processes?
    But I can see it being part of one of those "Internet Security" suites.
     
  3. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,912
    Autoruns is not just about automatically running processes.
     
  4. Gapliin

    Gapliin Registered Member

    Joined:
    Feb 12, 2012
    Posts:
    76
    @svenfaw, can you comment on these results? (It's an online-sandbox.)
    Especially I'm talking about:
    • Modifies proxy settings
    • Contacts server (63.236.252.122, 172.227.13.245, 104.74.13.76, all of them belonging to Akamai CDN)
    The other signatures are legit imo and not unexpected.
     
    Last edited: May 11, 2015
  5. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    195
    RCC does not contain any networking code, so something seems to be very wrong with these results. Have you tried other sandboxes?

    EDIT: This sandbox service does not seem to be very reliable. Look at the below scan of pestudioprompt.exe (a well-known tool by Marc OCHSENMEIER) for instance: you will find the same strange 'network traffic' results. Too bad the report does not provide network captures, that would've been interesting.

    https://www.hybrid-analysis.com/sam...edef37ad17eb0?environmentId=3#network-traffic
     
    Last edited: May 11, 2015
  6. flatfly

    flatfly Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    70
    Actually it does (the "network.pcap" file).
     
  7. Gapliin

    Gapliin Registered Member

    Joined:
    Feb 12, 2012
    Posts:
    76
    Actually it does. Just at the top it says "Download PCAP".

    I have also checked the VirusTotal report and it shows me this IP: 104.41.150.68
    "nslookup" tells me "time.windows.com" uses this IP. Or actually "time.microsoft.akadns.net" does. Which is a domain used by Akamai. Mystery resolved, I say. ;)

    I guess .NET is syncing the time using NTP (port 123 with UDP). Though I did not yet look up the PCAP with Wireshark.

    Edit: Woops, flatfly was faster...
     
    Last edited: May 11, 2015
  8. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,069
    Location:
    UK
    "signature database appears to be out of date" I assume a paid version would include auto-updating?
     
  9. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    195
    Sure it would. However at this time I am not sure when, or even if, such a version will be released. I'm unfortunately sick currently, and need to slow down a little. I'll see if I can build and release a new minor version with updated signatures soon, though.
     
    Last edited: May 23, 2015
  10. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    195
    Version: 1.48 (build 196) is now available. :)
    - Updated baselines
    - Now also attempts to detect root certs that are capable of local HTTPS-injection / MitM (beta)
     
  11. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,069
    Location:
    UK
    Excellent svenshaw and thank you...Do take care of yourself, I hope you can overcome your health issues soon...I will just check from time to time for news, I know you'll post when you have any and if you do ever make a pay for version I'll definitely buy it.
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,375
    Location:
    The Netherlands
  13. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    195
    Thanks for the nice words, very appreciated - and sorry that I can't currently attend to this thread as I much as I would like.
     
  14. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    195
  15. Explorare

    Explorare Registered Member

    Joined:
    Jun 28, 2015
    Posts:
    1
    It seems that there's a problem with RCC on my computer. It would pop up a console

    RCC 1.49 [build 204] - (c) 2015 @hexatomium - All rights reserved.
    For use in production and offline environments, contact cubaguy@gmail.com.

    Security baselines updated: Sun, 28 Jun 2015 07:41:19 UTC


    *** Scanning Windows root CA store... (Baseline selected: RCC1_STANDARD_MCP)​

    and then disappeared itself without any alert.

    System: Windows 8.1 Enterprise
    Version: 1.49 (build 204)
     
    Last edited by a moderator: Jun 29, 2015
  16. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,069
    Location:
    UK
    Just want to say working fine on Win 8 x32.
     
  17. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    195
    The most likely cause for this issue is if PowerShell is missing or blocked. Can you check that?
    As noted in the OP, RCC currently relies on PowerShell for the initial certificate store enumeration.
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,375
    Location:
    The Netherlands
    Yes it was clear to me, thanks. :thumb:
     
  19. DoryS

    DoryS Registered Member

    Joined:
    Jul 8, 2015
    Posts:
    1
    Great tool, I would like to run this remotely throughout my Environment. What would be the best way? psexec is not working, are there any switches I can implement?
     
  20. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    195
    Thanks for your feedback!
    Currently, scanning remote machines is not supported, but I will look into it (as time permits.)
    In a domain environment, a simple alternative solution could be adding a line like this to your logon or startup scripts:

    Code:
    \\server1\AuditingTools\RCC\rcc.exe /y > \\server1\AuditingTools\RCC\Logs\%computername%.txt
    
    However, do keep in mind that the certificate signature database embedded in RCC does not currently auto-update, and can eventually get obsolete. I will change the way this works in the future, though.
     
    Last edited: Jul 9, 2015
  21. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    195
    OK, Microsoft has been a little sloppy at maintaining their official documentation lately, so I think it's time for RCC to start using the currently deployed Windows CTL (349 entries as of today) rather than the outdated "official" MCP member list (413 entries, last updated almost a year ago) as its default baseline.

    A new release will be available within a few days.
     
    Last edited: Jul 18, 2015
  22. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,399
    ScreenHunter_02 Jul. 19 10.19.jpg Finds something wrong with a Adguard CA
     
  23. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    195
    This is flagged as unusual (though not necessarily "wrong") because Adguard technically performs a MITM attack to decrypt and filter your HTTPS connections. Have a look at this page:
    https://kb.adguard.com/index.php?/K...rt-for-https-connections-in-portable-browsers

    Note that if you already know and are fine with that, then no action is required. Actually, a number of other security products also use that technique - even though whether this is a good idea or not is open to debate.
     
    Last edited: Jul 19, 2015
  24. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,399
    "Filtering support for https-connections in portable-browsers"

    And so they use same implementation for IE 11? It is not a portable browser.
     
  25. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,399
    when I disable that function in adguard I get same results from rcc
     
Loading...