Symantec's CCAPP.EXE contacts Verisign without my asking

Discussion in 'Port Explorer' started by Pigitus, Jun 29, 2004.

Thread Status:
Not open for further replies.
  1. Pigitus

    Pigitus Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    97
    Location:
    USA
    Hello,

    PE shows that C:\program files\common files\symantec shared\CCAPP.EXE contacts a verisign server (for instance, 64.94.110.11) everytime the computer is on. PID=192. TCP. Local port 3125. Remote port 80. Packets sent and received. I left a voice mail for the operator at Verisign in charge of that server: no response. It has been weeks now.

    CCAPP.EXE is important in controlling how Norton Antivirus 2003 runs (and I have NAV 2003's "autoprotect" on). However, I didn't know that my computer was contacting Verisign until I installed PE.

    There are many NAV users out there. Do you notice this phenomenon? Does Symantec have a contract with Verisign (both a computer security firm and a Internet registrar) to get CCAPP to exchange information with Verisign?

    Pigitus
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Could it be that Symantec use Verisign servers under contract for updates?

    I am sure Symantec users will comment :D

    Pilli
     
  3. ghodgson

    ghodgson Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    784
    Location:
    UK
    Dear Pigitus,
    I run Symantec NIS and AV and yes ccapp.exe does connect with ctrl.verisign automatically, I was under the impression it was for auto updating. I did a trace on the address, I believe it was in Holland.
    I dont think it is unusual.
    Gordon
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Many applications contact Verisign as part of checks to ensure application integrity. The URLs crl.verisign.com and crl.verisign.net are used for certificate verification inquires... CRL = Certificate Revocation List. Digital certificates are used to sign many things - applications, websites, etc. Sometimes a certificate will be revoked if there was some compromise and it is learned that someone is digitally signing bad applications with legitimate certificates.

    Another time you may see connections to crl.verisign.net is if your browser is set to check for certificate revocations whenever a SSL based website (https:) is connected to. (IE has a setting to either enable or disable this functionality, for example, when dealing with secure websites. Certificate information is fairly large so often people on dialup disable this. On broadband is can take a couple seconds to pass the necessary information.)

    In any case, ccapp.exe is well known for contacting Verisign to check to see if any certificates used to sign the Symantec products have been revoked by the maker.

    A little blurb from Verisign (only article I could find quickly from Verisign. [​IMG] ):

    http://www.verisign.com/support/pr-crl.html
     
  5. Pigitus

    Pigitus Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    97
    Location:
    USA
    LowWaterMark,

    Thanks for your explanation and link. I'm reassured now that there is nothing terribly bad going on through this surreptitious connection that I only found out about through PE. As far as I am concerned, this thread can be closed now.

    Pigitus.
     
  6. plusaf

    plusaf Guest

    i don't care so much about what ccApp.exe is doing; i'm just mad as all heck that it and one other app gobble up about 80-85% of my system's resources, mostly cpu, for several minutes after i boot the system!

    this is intolerable and didn't happen until a few months ago.

    if symantec doesn't do something about this soon, i'm leaving for other virus and internet protection vendors!

    plusaf at plusaf dot com.
     
Thread Status:
Not open for further replies.