Author Topic: Avast HTTPS Scanning, FireFox 67 and Certificates  (Read 2937 times)

0 Members and 1 Guest are viewing this topic.

Offline AZBruno

  • Jr. Member
  • **
  • Posts: 60
Avast HTTPS Scanning, FireFox 67 and Certificates
« on: July 03, 2019, 06:09:28 PM »
I'm running Avast Free Version 19.5.2378 Build 19.5.4444.507, Windows 10 Pro 1809, Firefox 67.0.4.

I discovered that the folder C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys was being filled with a lot of files. In two years, there were only 45 files there but then is starting filling up and now there are over 1700 files.

Based on some things I read online, I disabled HTTPS scanning in the Avast Web Shield setting and it appears that no more files are being added.

Looking at the date and time when the files started appearing, it coincides with the update of Firefox to 67.0 (May 24th).

Using the MMC Certificates (Local Computer), there is a group labeled avast! SSL Scanner Cache. There are 1869 certificates there... far more that all other certificates combined.

Are others seeing this? Is it a bug? Can I safely remove the certificates? If so, will files be deleted in the MachineKeys folder?

« Last Edit: July 07, 2019, 01:49:36 AM by AZBruno »

Offline Jakub Dubovic

  • Avast team
  • Jr. Member
  • *
  • Posts: 45
Re: Avast HTTPS Scanning, FireFox 67 and Certificates
« Reply #1 on: July 04, 2019, 04:19:14 PM »
Thank you for reporting the issue.
Could you please help us with investigation by providing some data?

Please enable Avast debug logging (Menu -> Settings -> General -> Troubleshooting -> Enable debug logging).

Reproduce the issue:
Enable HTTPS scanning in the Avast Web Shield setting again and try visiting sites so that more certificates are generated - you can take a look into the 'avast! SSL Scanner Cache' group in MMC and check the 'Issued to' column.

Create a support package (https://support.avast.com/en-eu/article/Submit-support-file) and post the ID here.

It would also be useful if we could take a look at which certificates were generated (even before debug logging was enabled).
Please go to MMC -> 'avast! SSL Scanner Cache' -> right click 'Certificates' and select 'Export List...' to export the certificate list as a text file.
You can send the list by e-mail as there is no automated feature for this. Feel free to remove any certificates that you consider personal from the list.


It might be a bug - we will be able to give you more information when the issue is investigated.
The certificates should be deleted if they are older than 30 days, or if it is confirmed to be a bug, a fix might be released.
Other than that you can safely delete any certificate issued by by Avast Web/Mail Shield Root (their expiration date should be in only a couple of months).


Thank you very much,
Jakub

Offline AZBruno

  • Jr. Member
  • **
  • Posts: 60
Re: Avast HTTPS Scanning, FireFox 67 and Certificates
« Reply #2 on: July 04, 2019, 08:27:25 PM »
Jakub,

I have submitted the info. The File ID is QD9UD.

I ran with debug logging and HTTPS scanning for only a very short time. It produced one additional file in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys. Looking at that file, I can see avast! SSL Scanner in the contents.

I have also exported the Certificates from MMC, both just before and just after the test and compared the two. Two additional certificates are added:
ssl437667.cloudflaressl.com   avast! Web/Mail Shield Root   11/15/2019   Server Authentication, Client Authentication   <None>          
static.garmin.com   avast! Web/Mail Shield Root   2/28/2020   Server Authentication, Client Authentication   <None>          
(Garmin was the site I navigated to, no pun intended)
« Last Edit: July 07, 2019, 01:50:06 AM by AZBruno »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 84897
  • No support PMs thanks
Re: Avast HTTPS Scanning, FireFox 67 and Certificates
« Reply #3 on: July 04, 2019, 08:56:19 PM »
@  AZBruno
The latest version of avast is 19.6.2383, see https://forum.avast.com/index.php?topic=228012.0.

I don't know if getting the latest version will have any impact, but I guess it would be pest trying to fault find this if you were using the latest version.

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.3.2459 (build 21.3.6164.561) UI 1.0.609/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline AZBruno

  • Jr. Member
  • **
  • Posts: 60
Re: Avast HTTPS Scanning, FireFox 67 and Certificates
« Reply #4 on: July 05, 2019, 06:18:11 PM »
After writing the original post I did update to the latest version, but still see the same behaviour. The submitted support package is with the latest version.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 84897
  • No support PMs thanks
Re: Avast HTTPS Scanning, FireFox 67 and Certificates
« Reply #5 on: July 05, 2019, 06:28:09 PM »
OK, we will have to wait for one of the Avast Team to get back to the forum topic.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.3.2459 (build 21.3.6164.561) UI 1.0.609/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline loungehake

  • Dummy Half
  • Sr. Member
  • ****
  • Posts: 251
  • Come on lad! You've only got 70 yards to go.
Re: Avast HTTPS Scanning, FireFox 67 and Certificates
« Reply #6 on: July 05, 2019, 08:35:21 PM »
I am runnng Firefox ESR 60.7.2(64bit) on Windows 10 Pro 1903(64bit) with Avast free 19.6.2383.  I can find no folder "C:\ProgramData\Crypto".
« Last Edit: July 05, 2019, 08:37:26 PM by loungehake »
Windows XP Pro SP3, Avast Free 10.4.2233, Agnitum Outpost Firewall Pro 9.3, Malwarebytes Anti-Exploit, Comodo Memory Firewall, OSArmor
Windows 7 Ultimate x64, Avast Free 21.3.2459, Malwarebytes Anti-Exploit, Malwarebytes Anti-Ransomware, OSArmor
Windows 8.1 Pro x64, Avast Free 21.3.2459, Malwarebytes Anti-Exploit, Malwarebytes Anti-Ransomware, OSArmor
Windows 10 Pro x64, Avast Free 21.3.2459, Malwarebytes Anti-Exploit, Malwarebytes Anti-Ransomware

Offline AZBruno

  • Jr. Member
  • **
  • Posts: 60
Re: Avast HTTPS Scanning, FireFox 67 and Certificates
« Reply #7 on: July 06, 2019, 02:47:00 AM »
Most humble apologies... I've misstated the folder more than once.

It is:
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

(Above references in my prior posts have been corrected)
« Last Edit: July 07, 2019, 01:51:02 AM by AZBruno »

Offline rocksteady

  • Advanced Poster
  • **
  • Posts: 1082
Re: Avast HTTPS Scanning, FireFox 67 and Certificates
« Reply #8 on: July 06, 2019, 11:27:36 AM »
Yup. I can see 850 files in there. Don't know if that is good or bad, as have not looked before.

Win 10 1903, FF67.0.4 (64-bit), Avast free 19.6.2383 (build 19.6.4546.494)

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 45261
  • 61 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Avast HTTPS Scanning, FireFox 67 and Certificates
« Reply #9 on: July 06, 2019, 04:43:26 PM »
Yup. I can see 850 files in there. Don't know if that is good or bad, as have not looked before.

Win 10 1903, FF67.0.4 (64-bit), Avast free 19.6.2383 (build 19.6.4546.494)
494 files in my folder.
Free avast! Security Seminar: http://bit.ly/2N1eaR2  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 10 Pro v20H2 64bit, 24 Gig Ram, 1TB SSD, AvastOmni 20.7.xxx, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq

Offline AZBruno

  • Jr. Member
  • **
  • Posts: 60
Re: Avast HTTPS Scanning, FireFox 67 and Certificates
« Reply #10 on: July 06, 2019, 05:25:45 PM »
If seeing a lot of files in the ...\MachineKeys folder, sort by Modified Date and see if the bulk of them started appearing recently. In my case, it coincided with when I installed Firefox 67 on May 24th. There is a log of all Firefox installations in C:\ProgramData\Mozilla\updates\<some big number>\updates.xml so it's easy to see if they line up.

Offline merckxist

  • Jr. Member
  • **
  • Posts: 70
Re: Avast HTTPS Scanning, FireFox 67 and Certificates
« Reply #11 on: July 06, 2019, 07:28:01 PM »
If seeing a lot of files in the ...\MachineKeys folder, sort by Modified Date and see if the bulk of them started appearing recently. In my case, it coincided with when I installed Firefox 67 on May 24th. There is a log of all Firefox installations in C:\ProgramData\Mozilla\updates\<some big number>\updates.xml so it's easy to see if they line up.
+1 w/avast 19.6.2382

My count is 1,164 since FF 67.0 install on 5/21/19. Before that date, the total was 52 since 01/01/19.

Offline Jakub Dubovic

  • Avast team
  • Jr. Member
  • *
  • Posts: 45
Re: Avast HTTPS Scanning, FireFox 67 and Certificates
« Reply #12 on: July 08, 2019, 05:08:40 PM »
As you have already implied, the certificates are generated so that HTTPS scanning can be enabled in FireFox. They are cached for 30 days to make HTTPS connections to visited sites faster. The choice was made to balance speed and used disk space. It is obvious from examples in this thread that the number of certificates cached can be inconvenient, so we are currently testing other approaches - the favorite at the moment being caching only a set maximum number of certificates. After the threshold is reached, the oldest certificate is deleted every time a new one is generated.

If you don't want to wait for the fix to be implemented in a future release, you can in the meantime use a different browser (e.g., HTTPS scanning in Google Chrome is implemented in a different way) or turn HTTPS scanning off as was suggested (though we obviously don't recommend that). This prevents new certificates from being generated. There are several ways to remove the certificates that are already in the folder. They are removed 30 days after being generated, or every time Avast is re-installed.

If the space used doesn't bother you, the certificates present no danger and speed up HTTPS connections, so there is nothing wrong with keeping them.

Thank you for your patience,
Jakub

Offline AZBruno

  • Jr. Member
  • **
  • Posts: 60
Re: Avast HTTPS Scanning, FireFox 67 and Certificates
« Reply #13 on: July 08, 2019, 06:10:10 PM »
There are several ways to remove the certificates that are already in the folder. They are removed 30 days after being generated, or every time Avast is re-installed.

Jakub, thanks for your reply.

I would like some clarification about removing certificates. At the time I initially saw this, I had many files in the ...\MachineKeys folder which were older than 30 days and they are still there. I also updated to the latest Avast program and that did not remove anything either.

In MMC, when I see the avast! SSL Scanner Cache certificates, are these the same as the files in the ..\MachineKeys folder? I have found that deleting certificates in MMC does not change the file count in the ..\MachineKeys folder.

Offline Jakub Dubovic

  • Avast team
  • Jr. Member
  • *
  • Posts: 45
Re: Avast HTTPS Scanning, FireFox 67 and Certificates
« Reply #14 on: July 09, 2019, 12:27:46 PM »
There are several ways to remove the certificates that are already in the folder. They are removed 30 days after being generated, or every time Avast is re-installed.

Jakub, thanks for your reply.

I would like some clarification about removing certificates. At the time I initially saw this, I had many files in the ...\MachineKeys folder which were older than 30 days and they are still there. I also updated to the latest Avast program and that did not remove anything either.

In MMC, when I see the avast! SSL Scanner Cache certificates, are these the same as the files in the ..\MachineKeys folder? I have found that deleting certificates in MMC does not change the file count in the ..\MachineKeys folder.

I have taken a more in-depth look at the logic and the caching time is updated every time the certificates are used - meaning they are only deleted after *not being used* for 30 days, sorry for the confusion. Other than that, there may be non-Avast files too in the folder.

As for the re-installation - updating is not enough, as it keeps your settings and certificate cache intact. For the certificates to be erased, Avast needs to be uninstalled and the computer restarted first.

Regarding the files in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys, there can be any number of key containers belonging to various certificates used by other applications, so I would advise against deleting anything directly. Deleting a certificate in MMC removes its registry entry in Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates, but does not delete the corresponding key file in the MachineKeys folder.