Why does windows installer needs to send information to crl.usertrust.com?

Discussion in 'other firewalls' started by Niels, Nov 22, 2008.

Thread Status:
Not open for further replies.
  1. Niels

    Niels Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    466
    Location:
    Belgium
    Hello,

    I hope that somebody can help me. I am using the firewall which is included in BitDefender Total Security 2009 and I saw a pop-up that msiexec.exe which is located in the system 32 windows subfolder that wanted to connect to . After a google search it seems that msiexec.exe is related to the windows installer. Why does it need to send information? I have blocked it. Can it cause any harm because I denied outbound connection for it?

    Thanks in advance for answering,
    Kind regards,
    Niels
     
  2. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    To check the certificate the installer is signed with? And yes, it won't be able to verify the validity of the certificate if you block it.
     
  3. Niels

    Niels Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    466
    Location:
    Belgium
    Hello doktornotor,

    First I want to thank you for your prompt reply.
    I wasn't installing anything at that moment. That is why I find it strange. Also normally windows installer is on my firewall white list so I assume that all necessary connections are allowed. Don't you think?

    Kind regards,
    Niels
     
  4. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Well, the address contains Certificate Revocation List for the certificates issued by Usertrust Root CA. So... seriously, there's nothing malicious about this and there's absolutely no point in blocking such things.
     
  5. Niels

    Niels Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    466
    Location:
    Belgium
    Hello doktornotor,

    Thanks again. The reason why is was worried because msiexec.exe made an connection to different ip-addresses.

    Kind regards,
    Niels
     
  6. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,968
    Location:
    U.S.A.
    Niels, you could check to see if the Windows Installer service is set to Automatic, via your Control Panel > Administrative Tools > Computer Management > Services and Applications > Services.

    If it is, set it to Manual (don't disable it) and the connection attempts should stop. If already set on Manual, you should scan that .exe via VirusTotal or Jotti's Malware Scan for a second opinion.
     
  7. Niels

    Niels Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    466
    Location:
    Belgium
    Hello JRViejo,

    Thank you very much for your reply. I really appreciate it. The windows installer services is set on automatic. I verified the ip-adresses and they were located in America so it would have something to do with Microsoft.

    Kind regards,
    Niels
     
  8. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,968
    Location:
    U.S.A.
    Niels, you should set the Windows Installer Service to Manual and such setting only means that whenever you install a new program, the service will prompt you.

    You can further verify those IP addresses via Whois.DomainTools.com to insure that they are indeed Microsoft's.
     
  9. Niels

    Niels Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    466
    Location:
    Belgium
    Hello JRViejo,

    Sorry but I have made an mistake the windows installer service is already set on manual. It might be that I forgot it that I already changed it.
    Does there exists a list of Microsoft ip-addresses? I will see if I find it.

    These were the ip-addresses:
    205.234.175.175
    64.71.134.246
    But I never saw Microsoft mentioned. I also looked them up on the internet.

    Kind regards,
    Niels
     
  10. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    There's no point in limiting the addresses to the range used by MS, it needs to verify certificates which are NOT issued by MS, so it needs to connect to various certification authorities. This is perfectly normal and nothing to troubleshoot or mess with. Leave it as it is.
     
  11. Niels

    Niels Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    466
    Location:
    Belgium
    Hello doktornotor,

    Thanks again for your very useful information. Now it seems clear for me.
    I now see that I didn't mentioned that I already removed the block rule that I created after that I read your reply. Infact I was thinking about limiting to which range ip-addresses msiexec.exe can connect but I will not do it because of your last reply.

    Kind regards,
    Niels
     
Loading...
Thread Status:
Not open for further replies.