Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Locking down CertUtil?


  • Please log in to reply
9 replies to this topic

#1 CrimsonCricket

CrimsonCricket

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:58 AM

Posted 04 April 2018 - 06:59 PM

A recent Bleeping Computer news article suggested that Windows users should "may want to lock down [CertUtil's] ability to connect to the Internet" but no instructions on how do this were provided!  So how does one go about doing this?



BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,675 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:58 AM

Posted 05 April 2018 - 07:43 PM

The easiest way is through Windows Firewall. Make sure its enabled and then perform the following:

Go into the Windows Firewall control panel and click on advanced settings.

From there click on "Outbound Rules", then click on Actions->New Rules.

Then configure it like the images below and press next at each screen:

type-of-rule.jpg


path.jpg


action.jpg


profile.jpg


At the last page, give it a name like "Block Certutil Outbound Connection" and then press "Finish".

#3 Sampei_Nihira

Sampei_Nihira

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Italy
  • Local time:12:58 PM

Posted 06 April 2018 - 10:36 AM

In the rules of OSA v. 1.4 beta there is also the control of this exe



#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,675 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:58 AM

Posted 06 April 2018 - 11:06 AM

OSA?

#5 Sampei_Nihira

Sampei_Nihira

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Italy
  • Local time:12:58 PM

Posted 06 April 2018 - 11:13 AM

Novirusthanks OSArmor.



#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,675 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:58 AM

Posted 06 April 2018 - 11:21 AM

Looks interesting. Gonna do an article on it :) Thanks for sharing!

#7 Sampei_Nihira

Sampei_Nihira

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Italy
  • Local time:12:58 PM

Posted 06 April 2018 - 11:27 AM

:thumbup2:

 

Windows has a built-in program called CertUtil,.................

 

 

Wrong.

It is not present in Windows XP. :thumbsup2:



#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,675 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:58 AM

Posted 06 April 2018 - 11:38 AM

Been there from Vista+. I think we are safe to refer to Windows as the latest two incarnations :)

#9 Sampei_Nihira

Sampei_Nihira

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Italy
  • Local time:12:58 PM

Posted 08 April 2018 - 02:34 AM

NovirusThanks wrote:

 

We're planning to release v1.4 on 10 April...............

 

 

https://www.wilderssecurity.com/threads/novirusthanks-osarmor-an-additional-layer-of-defense.398859/page-59#post-2749714


Edited by Sampei_Nihira, 08 April 2018 - 02:34 AM.


#10 STS-1

STS-1

  • Malware Study Hall Sophomore
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:58 AM

Posted 05 May 2018 - 11:48 PM

Not sure if this is the right place for this post, but here goes:

 

Is CertUtil similar to Credential Manager? I have a virtualapp/didlogical credential that lists SSO_POP_Device Credential that keeps re-adding itself, and from what I found from googling it, was a couple of different answers from Microsoft...#1 Is related to Windows Live stuff (which I do not use)  #2 Is related to your Microsoft account (which I do not use for at all except when I had to sign in once when I added Office 365) #3 Is related to Zeus Virus and means I have been breached.... Can anyone confirm what this really would be? Only thing I could think of is #1 The digital key that Windows 10 uses to Activate Windows (which nobody said that) #2 The credential for my Thunderbird email client, as I have "remember password" set so I can get my emails, or the credential for our office 365 account (which I do not manage, but I think it might be exchange, not 100% sure)... My biggest concern would be I picked up something dirty from somewhere without realizing it, but all my Virus programs show clear (which does not mean anything necessarily as I have been told that a lot of malware will disguise itself as legitimate processes and corrupt AV anyway) Any feedback would be greatly appreciated, Thanks everyone!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users