Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: AZBruno on July 03, 2019, 06:09:28 PM
-
I'm running Avast Free Version 19.5.2378 Build 19.5.4444.507, Windows 10 Pro 1809, Firefox 67.0.4.
I discovered that the folder C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys was being filled with a lot of files. In two years, there were only 45 files there but then is starting filling up and now there are over 1700 files.
Based on some things I read online, I disabled HTTPS scanning in the Avast Web Shield setting and it appears that no more files are being added.
Looking at the date and time when the files started appearing, it coincides with the update of Firefox to 67.0 (May 24th).
Using the MMC Certificates (Local Computer), there is a group labeled avast! SSL Scanner Cache. There are 1869 certificates there... far more that all other certificates combined.
Are others seeing this? Is it a bug? Can I safely remove the certificates? If so, will files be deleted in the MachineKeys folder?
-
Thank you for reporting the issue.
Could you please help us with investigation by providing some data?
Please enable Avast debug logging (Menu -> Settings -> General -> Troubleshooting -> Enable debug logging).
Reproduce the issue:
Enable HTTPS scanning in the Avast Web Shield setting again and try visiting sites so that more certificates are generated - you can take a look into the 'avast! SSL Scanner Cache' group in MMC and check the 'Issued to' column.
Create a support package (https://support.avast.com/en-eu/article/Submit-support-file) and post the ID here.
It would also be useful if we could take a look at which certificates were generated (even before debug logging was enabled).
Please go to MMC -> 'avast! SSL Scanner Cache' -> right click 'Certificates' and select 'Export List...' to export the certificate list as a text file.
You can send the list by e-mail as there is no automated feature for this. Feel free to remove any certificates that you consider personal from the list.
It might be a bug - we will be able to give you more information when the issue is investigated.
The certificates should be deleted if they are older than 30 days, or if it is confirmed to be a bug, a fix might be released.
Other than that you can safely delete any certificate issued by by Avast Web/Mail Shield Root (their expiration date should be in only a couple of months).
Thank you very much,
Jakub
-
Jakub,
I have submitted the info. The File ID is QD9UD.
I ran with debug logging and HTTPS scanning for only a very short time. It produced one additional file in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys. Looking at that file, I can see avast! SSL Scanner in the contents.
I have also exported the Certificates from MMC, both just before and just after the test and compared the two. Two additional certificates are added:
ssl437667.cloudflaressl.com avast! Web/Mail Shield Root 11/15/2019 Server Authentication, Client Authentication <None>
static.garmin.com avast! Web/Mail Shield Root 2/28/2020 Server Authentication, Client Authentication <None>
(Garmin was the site I navigated to, no pun intended)
-
@ AZBruno
The latest version of avast is 19.6.2383, see https://forum.avast.com/index.php?topic=228012.0 (https://forum.avast.com/index.php?topic=228012.0).
I don't know if getting the latest version will have any impact, but I guess it would be pest trying to fault find this if you were using the latest version.
-
After writing the original post I did update to the latest version, but still see the same behaviour. The submitted support package is with the latest version.
-
OK, we will have to wait for one of the Avast Team to get back to the forum topic.
-
I am runnng Firefox ESR 60.7.2(64bit) on Windows 10 Pro 1903(64bit) with Avast free 19.6.2383. I can find no folder "C:\ProgramData\Crypto".
-
Most humble apologies... I've misstated the folder more than once.
It is:
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
(Above references in my prior posts have been corrected)
-
Yup. I can see 850 files in there. Don't know if that is good or bad, as have not looked before.
Win 10 1903, FF67.0.4 (64-bit), Avast free 19.6.2383 (build 19.6.4546.494)
-
Yup. I can see 850 files in there. Don't know if that is good or bad, as have not looked before.
Win 10 1903, FF67.0.4 (64-bit), Avast free 19.6.2383 (build 19.6.4546.494)
494 files in my folder.
-
If seeing a lot of files in the ...\MachineKeys folder, sort by Modified Date and see if the bulk of them started appearing recently. In my case, it coincided with when I installed Firefox 67 on May 24th. There is a log of all Firefox installations in C:\ProgramData\Mozilla\updates\<some big number>\updates.xml so it's easy to see if they line up.
-
If seeing a lot of files in the ...\MachineKeys folder, sort by Modified Date and see if the bulk of them started appearing recently. In my case, it coincided with when I installed Firefox 67 on May 24th. There is a log of all Firefox installations in C:\ProgramData\Mozilla\updates\<some big number>\updates.xml so it's easy to see if they line up.
+1 w/avast 19.6.2382
My count is 1,164 since FF 67.0 install on 5/21/19. Before that date, the total was 52 since 01/01/19.
-
As you have already implied, the certificates are generated so that HTTPS scanning can be enabled in FireFox. They are cached for 30 days to make HTTPS connections to visited sites faster. The choice was made to balance speed and used disk space. It is obvious from examples in this thread that the number of certificates cached can be inconvenient, so we are currently testing other approaches - the favorite at the moment being caching only a set maximum number of certificates. After the threshold is reached, the oldest certificate is deleted every time a new one is generated.
If you don't want to wait for the fix to be implemented in a future release, you can in the meantime use a different browser (e.g., HTTPS scanning in Google Chrome is implemented in a different way) or turn HTTPS scanning off as was suggested (though we obviously don't recommend that). This prevents new certificates from being generated. There are several ways to remove the certificates that are already in the folder. They are removed 30 days after being generated, or every time Avast is re-installed.
If the space used doesn't bother you, the certificates present no danger and speed up HTTPS connections, so there is nothing wrong with keeping them.
Thank you for your patience,
Jakub
-
There are several ways to remove the certificates that are already in the folder. They are removed 30 days after being generated, or every time Avast is re-installed.
Jakub, thanks for your reply.
I would like some clarification about removing certificates. At the time I initially saw this, I had many files in the ...\MachineKeys folder which were older than 30 days and they are still there. I also updated to the latest Avast program and that did not remove anything either.
In MMC, when I see the avast! SSL Scanner Cache certificates, are these the same as the files in the ..\MachineKeys folder? I have found that deleting certificates in MMC does not change the file count in the ..\MachineKeys folder.
-
There are several ways to remove the certificates that are already in the folder. They are removed 30 days after being generated, or every time Avast is re-installed.
Jakub, thanks for your reply.
I would like some clarification about removing certificates. At the time I initially saw this, I had many files in the ...\MachineKeys folder which were older than 30 days and they are still there. I also updated to the latest Avast program and that did not remove anything either.
In MMC, when I see the avast! SSL Scanner Cache certificates, are these the same as the files in the ..\MachineKeys folder? I have found that deleting certificates in MMC does not change the file count in the ..\MachineKeys folder.
I have taken a more in-depth look at the logic and the caching time is updated every time the certificates are used - meaning they are only deleted after *not being used* for 30 days, sorry for the confusion. Other than that, there may be non-Avast files too in the folder.
As for the re-installation - updating is not enough, as it keeps your settings and certificate cache intact. For the certificates to be erased, Avast needs to be uninstalled and the computer restarted first.
Regarding the files in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys, there can be any number of key containers belonging to various certificates used by other applications, so I would advise against deleting anything directly. Deleting a certificate in MMC removes its registry entry in Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates, but does not delete the corresponding key file in the MachineKeys folder.
-
I am now running Avast 19.8.2393 (build 19.8.4793.541) and Firefox 69.0.3.
I no longer have thousands of Avast certificates, although the MachineKeys folder still has 94 items... most as a result of Avast before disabling HTTPS scanning. Before I re-enable it, I was wondering if anyone can tell me whether the same issue will exist.
Thanks.
-
Hello,
The issue should be solved now. I would be grateful if you could verify it by visiting a few websites and checking that the number of certificates didn't increase.
If this is not the case and the issue persists, please let me know.
Thanks!
-
I've enabled HTTPS scanning and will monitor it.
Meanwhile, can you tell me the difference between "avast! SSL Scanner Cache" and "Avast SSL Scanner Cache". They both have certificates
-
"Avast SSL Scanner Cache" is the current name of the Avast certificate authority storage. "avast! SSL Scanner Cache" is now deprecated and will no longer be used when generating new certificates.
Edit: missed a word
-
So is it OK to delete all the certificates under the "avast! SSL Scanner Cache"?
Also, how can I delete the nodes of "avast! SSL Scanner Cache" and "avast!Mail Scanner Trusted" (which has no certificates now). I do not see a delete option for the nodes in the Certificates MMC snap-in.
-
Yes, they can now be safely deleted using MMC.
As far as I know, MMC doesn't allow you to delete the nodes. It can be done using regedit with the following path: "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\avast! SSL Scanner Cache"
As always when using regedit, please do this only at your own risk and don't forget to create a backup first.