WIN 7 FW Cryptograhic Service Issue

I have tried various WIN 7 firewall outbound monitoring software add-ons and they plus native WIN 7 firewall outbound blocking and all have the same problem.

When using IE9 and I assume this also applies to earlier versions, WIN 7 firewall cryptographic service dials out to validate certificate authorities. I know it is CAs since I have checked the IP address it is trying to connect to. I have watched it do these connects using cryptograhic service however WIN 7 firewall plus the add-on's to it I have tried all block these CA validation dial outs. I have always created an outbound rule for cryptographic service, TCP ports 80, 443.

Is this a bug in WIN 7 or do one of those three sub-services cryptographic uses have to be set up as an outbound firewall rule? If the later, what the heck is the name of the service?

 

I found a postings by Heimdall in this forum on this subject.

Solution appears to be to either turn off CA root checking via Group Policy. I would imagine setting off the CA checking setting in IE advanced settings would accomplish the same thing. Neither of these are a good solution to me since I have already encountered rouge CAs on occasion. What Heidall does personally is allow the IP addesses for the encountered CAa. This is a pain since there are many and each IP has to throughly checked out. I believe he went though the CA certificates and extracted their urls and retrieved their corresponding IP addresses and built his firewall allow IP list for svchost.exe from that. That is a pain.

Hopefully, someone will come up with a better idea.

Also a classic example of why MS has outbound blocking for the Vista/WIN 7 firewall turned off by default.

 

After I posted this, I viewed a uTube video from the developer of Windows Firewall Control. Very interesting indeed. Appears he is the only one of these add-on Windows firewall software to recognize a global svchost.exe individual rule must be created listing the IP addresses of the Certificate Authorities separately. I might give that software a shot.