RCC - check your system's trusted root certificate store

Any news on the Symantec certificate? (this version still reports it)

 

No news so far. However I plan to approve the cert in the next build, based on the following facts:

- By all accounts it appears to be part of a default Win10 install

- Verified to be a legit Symantec cert as per
https://knowledge.symantec.com/support/code-signing-support/index?page=content&id=SO20770

- Windows already trusts other Symantec root certs

- Can be used for Code Signing only

To me the above is sufficient justification to whitelist it in RCC.
Of course if there are any thoughts about this please chime in.

 

Strange things are going on..

Today I scanned my office machine again, and RCC found no "interesting" certificates.

I took a notebook, that was never used for any experiments and that is running WIN7, office, chrome and AVIRA
Scanned with RCC, last build, and found no interesting certificates
Scanned with Zemana Antimalware 2.18.2.519 portable, no detection.
Scanned again with RCC and TADA: 90 interesting certificates, inserted a minute ago, all the same that I had on my office machine.

Any opinion whats going on here?

 

I'm not familiar with Zemana... Does it touch certificates in any way? Did you also have it running on your office machine at some point?

 

I had Zemana portable run from time to time on my office machine.
It scans for bad certificates, but only found my self signed certificate.
So yes, it touches the certificate store, but should not alter it, or even insert certificates. Did it?

 

Too early to tell. We would need more information to be sure.

Does Zemana require admin rights to run?

If you really want to be sure, one good way would be to repeat the test on a clean system and monitor registry accesses during the Zemana scan.
Using ProcessMonitor if you're experienced with that, for instance.

 

Yes, Zemana opens a UAC prompt.
All certificates are in the certificate store.

I will setup a WIN7-64 system, that doesn't take long for me, because I have a setup stick with all updates included.
I will do a reg shot and start Zemana, while running ProcessMonitor.

But I can't do it right now, because of limited time.

 

The architect of Zemana Antimalware is active on this forum (see the topic dedicated to this software); you might ask him.

(I have a lifetime license and run ZAM in portable mode on my system; during my last RCC check only 2 certificates where reported: the Symantec one plus one other)

 

Bevor I blow the whistle,
can anyone confirm, or deny, that 90 "interesting" certificates appear in the certificate store, after running ZAM ?

Today I tried on 5 machines and 4 of them had the dirty ninety, after running ZAM portable

 

Just tried after ZAM portable scan and no 90 here. I had the 90 before, not sure why, but none lately.

 

Thanks, I have asked Emre to have a look into this.

 

I ran ZAM portable, latest stable and latest beta, on several more random picked machines.

Out of 9 machines, 7 where affected.

So I pulled the trigger and asked in ZAM thread.

 

Just tried RCC for the first time now.
Got the following 'interesting item': '4D18231F020E7A3E66B2B5B60DB5458FAFB6DE78: WinPrivacy 2 Time of insertion: 2015-09-12 09:28:13 UTC'
WinPrivacy is a program from the WinPatrol stable - I believe it is an FP.
Can it be whitelisted?

 

I unfortunately don't have enough time to investigate it now, but basic support for whitelisting will be added into RCC soon.

 

No response yet.

 

It's really weird; I have seen it on one PC (32 bits, non-English), but not on another (64 bits, English).

 

Emre gives an explanation in the ZAM topic: #1474

 

I'm afraid that explanation is incorrect. I've posted a reply over there.

 

Thanks.

What would be the easiest way to remove those old certificates?

 

Here ist the solution :http://cdn9.zemana.com/download/Rootsupd_Fix.zip

brought to you by Emre, from Zemana.
THX a lot.

 

Probably time for a little apology?

 

Yes, I saw that just now and appreciate that.

 

@ svenfaw

Thank you for RCC.

I think I've got all the stuff squared away between this and the ZAM threads. I the past six or so months I've run several versions of ZAM portable and installed trials with one about 10 days ago with real-time enabled. All were fully uninstalled.

I've just run RCC 1.55.246, Baseline RCC1_STD_MSCTL, 2015-11-28 which returned: [ OK ] No unusual root certificates found.

So, my understanding is that RCC is THE test in this assessment and my system did not suffer from Zemana's "oops" - Correct??

 

@haakon Yes, your system appears to be unaffected.

 

Hi, there is not much information available about this certificate yet. I have no Windows 10 system at hand but if you have time for that, you could try using Microsoft's Sigcheck utility to check if any system files are signed with this certificate.