CIS 6.2 and redundant CRL (Certificate Revocation List) requests

Comodo Internet Security - CIS Firewall Help - CIS
1

Hello. After installing CIS 6.2 (clean install with previously uninstalling 5.10) i’ve experienced some strange things: CryptSVC through host process (svchost), from time to time send HTTP request to Akamai CDN servers. Wireshark dump showed me such requests:

GET /pki/crl/products/tspca.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Mon, 13 May 2013 18:07:21 GMT
If-None-Match: "cfdea1b6450ce1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
 
HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Mon, 13 May 2013 18:07:21 GMT
ETag: "cfdea1b6450ce1:0"
Cache-Control: max-age=900
Date: Sat, 13 Jul 2013 22:24:16 GMT
Connection: keep-alive

URL may vary:
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
http://crl.microsoft.com/pki/crl/products/CodeSigPCA.crl
http://crl.microsoft.com/pki/crl/products/CSPCA.crl
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
but all from crl.microsoft.com.
Ok. it’s clearly CRL (Certificate Revocation List) requests, these things Windows does from time to time, and it’s not unusual. But with 6.2 it’s occurs every hour(!) since windows logon, to same URL. Again, with previously installed CIS 5.10 these things not occurs.
I’m trying “do some magic” like:

-Select Start » Control Panel. -Double-click Internet Options. -Select the Advanced tab. -In the Security section, uncheck the Check for publisher's certificate revocation option.
But first, its really secure hole, and second, it's doesn't helps. CRL requests still occurs. I guess CIS 6.2 do some request to MS Crypto API, I'm right? What is it, bug оr new security feature from CIS 6.2?

P.S. Windows 7 x64 with latest updates (exclude IE 10 and RDP 8.0).

2

Did you install Comodo Dragon browser (which is also included in the CIS installer)?Then you may see CertSentry in action:

3

Thank you for tips, but no, I didn’t install Comodo Browser, only CIS (FW+AV). I switch back to CIS 5, cause it’s a bit annoying stuff for me :frowning:

4

I also got CIS v6.2 when i re-installed my laptop and was not happy with it. After a complete unsinstall of CIS and Dragon I had a lot of problems reaching SSL secured sites or for instance use Windows Update.
I saw a lot of connections from windows services and applications to ??? in a “CLOSE_WAIT” state to address 178.255.87.3 / no-dns-yet.ccanet.co.uk on tcp 443 (using netstat -fb).
The certsentry dlls still existed in the System32 and SysWoW64 directories, so it was not uninstalled :cry:

I had to manualy unregister them using :
“%SystemRoot%\System32\regsvr32.exe” -u “%SystemRoot%\System32\certsentry.dll”
“%SystemRoot%\SysWoW64\regsvr32.exe” -u “%SystemRoot%\SysWoW64\certsentry.dll”
and then archive the dll-s for safe keeping and remove them from the System directories.

After a reboot i could browse SSL secured sites and download updates normally.

I do still wonder why Certsentry caused allmost all SSL communication to fail on this laptop. It may have to do with the virusscanner - i tested Avira Avast and Bitdefender (not at the same time), and both have transparent proxy techniques (which is why i’m not keeping them) with a generated root certificate. Or it may be caused by OpenDNS, who knows…

IMHO the CertSentry should at least have its own installer / uninstaller utility, so you can choose to remove it separately from other Comodo software and have a normal way to uninstall it if for some reason it is left after a dragon / CIS uninstall.

Greetings,
Mick
Mod edit: Correction made, Captainsticks.

5

Correction: in my last post it should read Avast instead of Avira. Oops :-[

6

Corrected. :slight_smile: