• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos1 Stats

ocsp digicert com

Hello

After a long time I decided to download malwarebytes and scan my pc. Before I run it I noticed norton submission 

Local or remote attacker 2 

Offending URL ocsp.digicert.com

I know that NCW is not a malware detection but this url looks kinda suspicious

Replies

Kudos2 Stats

Re: ocsp digicert com

Hi greendio:

Many of those Norton Community Watch submissions for ocsp.digicert.com are likely associated with validity checks for digital certificates via OCSP (Online Certificate Status Protocol).  If I go to Tools | Options | Advanced | Certificates in my Firefox ESR browser the default for checking the validity of digital certificates is OCSP (see image below).  According to the Wikipedia article Online Certificate Status Protocol Google Chrome is the only major browser that does not have OCSP certificate checking enabled by default.

From what I understand from that Wikipedia article, using OCSP for certificate checks is faster but less secure than using a certificate revocation list (CRL), which is defined "a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should no longer be trusted."  The main differences between using OCSP and a CRL listed <here> in that article are:

  • Since an OCSP response contains less information than a typical certificate revocation list (CRL), it puts less burden on network and client resources.
  • Since an OCSP response has less data to parse, the client-side libraries that handle it can be less complex than those that handle CRLs.
  • OCSP discloses to the responder that a particular network host used a particular certificate at a particular time. OCSP does not mandate encryption, so other parties may intercept this information.

The 2017 in8sworld.net blog post Malwarebytes Flags Firefox as Malicious for Checking Certificates? includes a discussion about an incident in late 2016 where several Malwarebytes Premium users were reporting false positive detections by their Web Protection module for ocsp.digicert.com (see one FP submission <here>).  Malwarebytes quickly resolved the issue and stopped blocking Firefox submissions to ocsp.digicert.com, but that in8sworld blog points out that "if a website's certificate is stolen it can be used to impersonate that website and a web browser would not be able to tell the difference between the real website and a fake one... since OCSP is not encrypted it is possible for an interested to party to intercept the communication and so, build a list of websites that a client visits".

Long story short - I'm not an expert in this area but I'm guessing that Norton Community Watch is probably just compiling background data on how often certificate checks are run with OCSP, and Symantec might even be cross-referencing details about those OCSP submissions to improve their own web browser protection and detection of expired/stolen certificates and malicious websites.
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.8.0 * NS v22.14.0.54 * Malwarebytes Premium v3.5.1

Kudos0

Re: ocsp digicert com

Thank you for your answer.

That's the first time I see submission about ocsp.digicert.com. I already seen this post about Malwarebytes before I posted it. I can't really find much about it so thanks again for the informations.

But mostly when I google ocsp.digicert.com I can find "how to remove this malware". I didn't metion that this ocsp offending application EXPLOERE.EXE

I already scanned my pc and I can't see any detection but I think it might be something dangerous

Kudos2 Stats

Re: ocsp digicert com

greendio:

....But mostly when I google ocsp.digicert.com I can find "how to remove this malware". I didn't metion that this ocsp offending application EXPLOERE.EXE.  I already scanned my pc and I can't see any detection but I think it might be something dangerous.

Hi greendio:

If Norton was detecting malicious activity on your system then you should see a pop-up notification from the Norton icon in your system tray and/or your browser should display a block notification if you try to visit a known malicious web site. I can't check for similar NCW logs about ocsp.digicert.com in my Norton security history (Security | History | Show | Norton Community Watch) since I have NCW disabled (Settings | Administrative Settings | Norton Community Watch | OFF), but NCW is not very discriminant and tends to collect large amounts of data about all types of activity (malicious, suspicious and safe) on your computer.

I'm not sure if you mean explorer.exe (Windows Explorer) or iexplorer.exe (the Internet Explorer browser, which supports the OCSP protocol for certificate validation) so it might be helpful if you could post further details about these NCW submissions (e.g., is there one specific URL / domain name or executable file associated with these ocsp.digicert.com certificate validation checks)?  Do you have an ad blocker add-on installed in your browser (I use the Adblock Plus extension) to provide additional tracking and site blocking protection?

Hopefully one of the Norton Gurus or Symantec employees will jump into this thread to let you know if you have a legitimate reason to be concerned.  You can also try contacting Norton Customer Support via Live Chat at https://www.norton.com/chat, but I'm not sure how much their front-line support reps would know about the inner workings of NCW.
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.8.0 * NS v22.14.0.54 * Malwarebytes Premium v3.5.1

Kudos1 Stats

Re: ocsp digicert com

Hi greendio:

... and I should add that if you search for ocsp.digicert.com on the Norton Safe Web site at https://safeweb.norton.com that the report at https://safeweb.norton.com/report/show?url=ocsp.digicert.com currently gives the digicert.com domain a Safe rating and lists them as a "Verified Business / Member of a Consumer Advocacy Group".
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.8.0 * NS v22.14.0.54 * Malwarebytes Premium v3.5.1

Kudos0

Re: ocsp digicert com

It's basically submission like this https://community.norton.com/en/forums/remote-attacker-2 and application explorer.exe is in windows fodler so it's windows explorer.

I'm not using any ad block or other extensions and I can't see any ads popping.

Kudos1 Stats

Re: ocsp digicert com

greendio:

It's basically submission like this https://community.norton.com/en/forums/remote-attacker-2 and application explorer.exe is in windows fodler so it's windows explorer....

Hi greendio:

Could you post a screenshot of your own NCW submission (see Andmike's instructions at How to post an image in the forums)?  "Basically" might not be relevant because the NCW detection shown <here> has the same detection name of Local or Remote Attacker 2 but the details are very different.  The quality of that .jpg image is very poor but it looks like an Intrusion Prevention submission about traffic through port 80, the application name is Internet Explorer (iexplorer.exe) and the "offending" URL looks like an oracle.com update server uploading a JavaSetup8u151.exe installer for the Java browser plugin (Java Runtime Environment 8 Build 151).  I don't see any mention of ocsp.digicert.com in that NCW submission.

Without more information, my best guess is that your computer submitted data about a security certificate to opcs.digicert.com for validation, and digicert.com ran a validation check for the certificate and sent a response back to your computer using the OCSP protocol.  Norton's heuristic (behaviour-based) detection might have tagged this digicert.com response as a generic Local or Remote Attacker 2 detection because OCSP uses unencrypted (HTTP) connections instead of secure encrypted (HTTPS) connections.  That doesn't mean Norton real-time protection detected and blocked the download or launch of software with an invalid certificate (you can check at Security | History | Show | Download Insight) or that there is hidden malware on your computer intercepting data in these digicert.com submissions via a Man-in-the-Middle (MITM) attack; it probably just means that Norton doesn't like data being passed to and from digicert.com over an unencrypted HTTP connection.
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.8.0 * NS v22.14.0.54 * Malwarebytes Premium v3.5.1

Kudos0

Re: ocsp digicert com

I mean it's not literally the same.

Offending URL a little bigger but can't catch all of it on screenshot

I don't know it's important but this msg popped up when I downloaded malwarebytes ( 2 secs after norton insight about mb-setup)

Kudos1 Stats

Re: ocsp digicert com

Hi greendio:

NCW sends information like the SHA256 hash (the unique digital fingerprint of the file) for .exe executables back to Symantec for analysis. Norton's reputation rating for downloaded .exe files are based in part on the age of the file (release date) and the number of users in the wider Norton community who have already downloaded the same file to their computer, and Symantec compiles this information from NCW submissions.  Newly released installers tend to have a poorer reputation that improves over time as more Norton users download the file and send back information via NCW.

If you'd like more information about your installer, go to Security | History | Show | Download Insight and double-click the 02-Jun-2018 entry for your Malwarebytes download.  As a test I just downloaded the MB Free v3.5.1 installer (mb3-setup-consumer-3.5.1.2522-1.0.365-1.0.5354.exe) from the official download page at https://www.malwarebytes.com/mwb-download/ and the File Insight report shows this installer has a Good reputation.

For more details, click the the Copy to Clipboard link in the bottom right corner and paste the entire contents of the File Insight log into a text editor like Notepad.

The unique SHA256 hash (digital fingerprint) for my own MB installer is listed as "d3fb6b1391aaa5aa74e805b7533fc4adcf1cb8793a11252e4e8a2886cff525bf" (see the log excerpt below).  If I upload the mb3-setup-consumer-3.5.1.2522-1.0.365-1.0.5354.exe installer to VirusTotal.com for analysis or search that site for the file's SHA256 hash the VirusTotal report <here> shows that 0/64 antivirus scan engines (Bitdefender, Kaspersky, McAfee, etc.) thought this installer was suspicious.

File Thumbprint - SHA:
d3fb6b1391aaa5aa74e805b7533fc4adcf1cb8793a11252e4e8a2886cff525bf
File Thumbprint - MD5:
87a9be18b499891462586749404bc8ab

I can't tell if the SHA-256 hash in your NCW submission (which starts with ) was for your Malwarebytes .exe installer or explorer.exe itself without searching for the entire hash at VirusTotal.com, but if you go through this same exercise for your Malwarebytes .exe installer and it has a safe reputation then I still suspect that it was a security certificate submission to ocsp.digicert.com over an unencrypted connection that threw this generic (but harmless) Local or Remote Attacker:2 flag. It's even possible that the SHA-256 hash "6A671B9..." in your NCW submission could be the unique hash for the security certificate being submitted to ocsp.digicert.com.
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.8.0 * NS v22.14.2.13 * Malwarebytes Premium v3.5.1

Kudos0

Re: ocsp digicert com

This Malwarebytes SHA-256 is not like this "6A6" and mb file reputation in norton insight is "Good".

I'm wondering why it's explorer.exe

Kudos1 Stats

Re: ocsp digicert com

greendio:

This Malwarebytes SHA-256 is not like this "6A6" and mb file reputation in norton insight is "Good".

Hi greendio:

The MB v3.5.1 installer I downloaded today is mb3-setup-consumer-3.5.1.2522-1.0.365-1.0.5354.exe (i.e., it was bundled with the v1.0.365 component package and a v1.0.5354 malware definition database). What is the name and SHA256 hash of the MB installer you downloaded?  As I noted <here> the SHA hash "6A671B9..." in your NCW submission could even be the hash for explorer.exe or the digital signature for a security certificate being verified at ocsp.digicert.com.

I'm wondering why it's explorer.exe

I don't know.  Did you launch the Malwarebytes installer from Windows Explorer?  Locate explorer.exe (e.g., C:\Windows\explorer.exe) and upload it to VirusTotal.com for analysis - the SHA256 hash of the file will be shown in the report.

As I said before I have no expertise when it comes to interpreting NCW submissions (I don't even have NCW enabled in Norton because these constant NCW submissions consume large amounts of bandwidth on my slow internet connection) so if you still believe this NCW submission is pointing to something potentially dangerous or you are just curious about what a Local or Remove Attacker: 2 flag means then you should contact Norton Customer Support via Live Chat at https://www.norton.com/chat as I suggested earlier and ask for further assistance.
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.8.0 * NS v22.14.2.13 * Malwarebytes Premium v3.5.1

Kudos0

Re: ocsp digicert com

I left it for a few days to see if any ad or something like that pop.But now when I turned on my computer I got another different submission: "Offending URL crl.pki.goog/GTSGIAG3.crl

I'm pretty sure that's something different and might be a google thingy but when I tried to search for information I found a few sites only but not identified by norton.

Kudos1 Stats

Re: ocsp digicert com

greendio:

...But mostly when I google ocsp.digicert.com I can find "how to remove this malware". ...I already scanned my pc and I can't see any detection but I think it might be something dangerous

lmacri:
...Many of those Norton Community Watch submissions for ocsp.digicert.com are likely associated with validity checks for digital certificates via OCSP (Online Certificate Status Protocol)....If Norton was detecting malicious activity on your system then you should see a pop-up notification from the Norton icon in your system tray and/or your browser should display a block notification if you try to visit a known malicious web site. I can't check for similar NCW logs about ocsp.digicert.com in my Norton security history (Security | History | Show | Norton Community Watch) since I have NCW disabled (Settings | Administrative Settings | Norton Community Watch | OFF), but NCW is not very discriminant and tends to collect large amounts of data about all types of activity (malicious, suspicious and safe) on your computer.

greendio:
But now when I turned on my computer I got another different submission: "Offending URL crl.pki.goog/GTSGIAG3.crl

Hi greendio:

That looks like another routine Norton Community Watch submission about a background digital certificate check, this time with Google Trust Services (see https://pki.goog/; pki = Public Key Infrastructure; crl = Certificate Revocation List) instead of digicert.com.

You still seem concerned that these Norton Community Watch submissions are pointing to some sort of hidden malware on your system, so hopefully someone else will step into this thread and provide a second opinion.
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.8.1 * NS v22.14.2.13 * Malwarebytes Premium v3.5.1

Kudos0

Re: ocsp digicert com

I'm probably worrying too much about all NCW submissions. Maybe I should turn it off and stop thinking about it

Kudos1 Stats

Re: ocsp digicert com

Hi, @greendio In addition to what Imacri has said, I would also add that NCW is merely reporting on what it finds.

If any certificates turn out to be suspicious or exhibit any unusual behaviour, Norton's other layers of protection will jump in.

Like Imacri, I don't use NCW or check my History, as you can spend hours just worrying about things that may or may not be a problem.

Long story short, let Norton do its thing, and then you can take action if it warns you of any issues.

Windows 10 Home X 64 Norton Security Premium Current
Kudos0

Re: ocsp digicert com

I'm just curious why NCW still showing me submissions like this even if I'm not doing anything. Last thing popped 10 minutes ago and it's ocsp.comodoca.com

I think I'll just disable NCW right now

Kudos2 Stats

Re: ocsp digicert com

greendio:

I'm just curious why NCW still showing me submissions like this even if I'm not doing anything. Last thing popped 10 minutes ago and it's ocsp.comodoca.com...

 Hi greendio:

If you are referring to the timestamp of your NCW submission I believe that's normal.  NCW submissions and other background Norton tasks listed at Settings | Administrative Settings | Background Tasks | Configure only run during system idles so they don't impact system performance while you're using your computer.  NCW will collect data from your computer and temporarily hold that information in a queue (i.e., the submission logged at Security | History | Show | Norton Community Watch will have a status of Pending) and that data will be sent back to Symantec after your system goes into idle mode.

As a test I re-enabled NCW about an hour ago and allowed my system to go into idle mode.  NCW began collecting data for hundreds of .DLL files associated with Malwarebytes, CCleaner, etc. that are stored on my hard drive and then filled my security history with Pending submissions for every one of these these .DLL files (including data about their digital certificates).  As I said before, NCW is indiscriminate and collects large amounts of data about every software program you download or install.  The more data they have about the software being used in the wider Norton community the lower the chance that a protection update like a new SDS (virus) or Intrusion Prevention definition update could throw a false positive detection and incorrectly flag a safe file as suspicious.

It's also possible that you have multiple programs (e.g., Windows Update, Firefox, Chrome, Adobe Flash Player, iTunes, etc.) "silently" running scheduled background tasks like automated update checks that you aren't even aware of that NCW is collecting data about.
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.8.1 * NS v22.14.2.13 * Malwarebytes v3.5.1

This thread is closed from further comment. Please visit the forum to start a new thread.