Michael Braly

That IP address belongs to Verisign, not Microsoft. It is crl.verisign.com, and the "crl" stands for "Certificate Revocation List". As far as I can tell, that server maintains lists of Verisign-issued certificates that have been revoked. Software that checks revocations should be contacting that server, so it makes sense that some Microsoft software would be contacting it. Nothing conspiratorial there, IMHO.

But why it is hitting your friend's router? That's hard to say. Perhaps someone is trying to attack crl.verisign.com by sending out packets that look like they come from it, causing your friend's router (and maybe tens of thousands of other routers) to all send responses "back" to it.

-rich

Win98SE

My computer has taken to automatically dialing up when I boot up. I ran Netstat and I got the URL http://crl.verisgn.com/:80 The task list doesn't show anything that should be doing this. I have noticed that the Norton virus icom does not show up in the tray until after the connection.

It will do this for several days in a row and then stop. I am running the most recent version of Spybot S&D and it indicates I have no spyware and Norton says I have no viruses. If I try to cancel the dialup I lose autoconnect.

BTW, CRL stands for certificate revocation list. If you point the browser at that URL you get a list of revocked certs. Now I'm not sure why my PC (Norton Antivirus, I think) gets into check the cert mode every so often. Has nothing to do with autoupdate. They should explain what is going on rather than just doing it and slowing my bootup process.

Haven't tried it yet but unchecking the 2 "check for certificate revocation" boxes under security in Internet tools => advanced should fix it.

I have also had those, some of my .exe files from games etc are trying to contact those crl', firstly it starting to go to cr.microsoft.com, then it started to goto crl.verisign.com. I just block it with my firewall.It But when I block it, it takes about a min for the app to start :/ I will try to turn the certificate revocation list off. Its starting to bug me now.

Very interesting ... I noticed hundreds of hits in my router log - both incoming and outgoing - to crl.verisign.com (and .net) starting yeserday evening (1/7/04.) Looking over previous logs showed no sign of contact with crl.verisign.com before. I also noticed ZoneAlarm reporting outbound traffic from Symantec apps (AntiVirus) which never asked for (nor needed) to connect to the internet before. And an -extreme- slowdown in the opening and running of NAV.

Today at work the same thing happened with one further twist: when I launched any MSOffice product (Word, Excel, Access) ZoneAlarm popped up asking for permission to let those apps use the itnernet. Again, this has never happened before. And it took forever for the app to open.

After a lot of digging, I turned off the MSOffice plug-in in Norton AntiVirus and the Office apps now load normally and do not try to phone home.

As for crl.verisign.com, I called Verisign today and got bounced around to a number of people. Eventually I was asked to e-mail them the router log along with a detailed description of what's going on. I received an auto-bot reply stating I should have a reply within eight hours.

My gut feeling is that this has something to do with Norton AntiVirus (or some Symantec module) since these started causing ZoneAlarm to react at the same time the hits started showing up in the logs.

I've now seen this on three machines, two of which are running Windows 2000 and one running Win98. But -all- are running Norton AntiVirus 2003 and all had a definition update within the past 24 hours. Hmmm...

Assuming I get a response back from Verisign, I'll provide more information.

hi,
try to block (with a firewall) all in/out connections to crl.verisign.com
it's look like a bug from "norton anti virus"
last update. if it is so your right clicks (on a file - explorer...) should take some time (more than normal)

ciao martin

Whats Up!
Its now January 8 2004... and i've the same problem.. just adding my input here on your message board.. no solutions yet sorry!

This crl.verisign.com s#it is a pain in the @ss!

So... well 2 years ago somebody managed to recieve verisign certificates... authenticated.. supposedly by microsoft... so.. this is what happened to me...

i went to some site or something, then got that install dialog certified by microsoft... i figured it was ok so i clicked yes....

now my NORTONS 2004 live update...
Microsoft outlook express...
internet explorer...

all want to connect to crl.verisign

there have been times that a connection has established and stayed established on port 80.

my question would be... wtf is the purpose.
way to much lag connecting with verisign or whatever... what is it doing... what data is being sent....

yes my zonealarm has blocked incoming requests...and supposedly outgoing.. but still the problem exists... what and why.... this is obviously not normal... i found no way to fix this searching the net...

i found a microsoft patch that supposedly would fix the verisign problem... but it did nothing....

so im going to now try unchecking the certificate setting in IE.. restart check netstat while connnecting to google.com... hopefully its gone... anyway... thats my experience with this verisign crapola.... i was thinking people are able to use those old faulty certificates to thier own advantage... i keep gettin different IP addys connected with this crl.verisign.com

whoIS shows the ip's are from NETWORK SOLUTIONS... which is affiliated or something with WWW.VERISIGN.COM..

BTW... BLOCKING CRL.VERISIGN.COM WITH ZONEALARM DOES WORK... Most of the time :] and im running win98SE... im sure verisign.com has a true authenticating system... but whatever is on my computer installed as verisign by microsoft is doing toooo much. something more must be going on with it....
I have had no problems with Nortons, ZoneAlarm, Or outlook express untill that DIALOG BOX appeared asking me to download something certified by microsoft. after that.. everything wants to connnect to crl.verisign.com and really lags the $hit out of nortons, Internet explorer, outlook express....

come on now... during my outlook login it wants to send data to crl.verisign.com?!? bLaH :P

Ok.. BTW i figured id try to connect to crl.verisign.com via FTP about 15 minutes ago and forgot all about it.. well now i just opened the ftp window and its still got that flashlight icon appearing as though its looking for the connnection... well i checked my netstat and it says:

Active Connections

Proto Local Address Foreign Address State
TCP ME:1096 sitefinder-idn.verisign.com:ftp ESTABLISHED

Same problem here. Looks like Norton Antivirus's last update tries to phone home. It happens over and over again. I blocked it with Norton Personal Firewall.

THAT PERSON ABOVE WAS RIGHT!

To stop this verisign fiasco... just do this...

in internet explorer click...

Tools>Internet Options>

Click the ADVANCED TAB
then scroll down to Security:

UNCHECK the boxes that say "CHECK FOR PUBLISHERS CERTIFICATE REVOCATION"

and

"CHECK FOR SERVERS CERTIFICATE REVOCATION(requires restart)"

my norton's live update, outlook, iexplorer all work fine now! ThankS!

Just adding my 2 cents....
I am having the same problem when I try to run
Excel or Word. I get a message "a program named NAVW32.EXE us attempting to connect to a computer at 198.49.161.205:80 using crl.verisign.com

Temp Fix
If you open your "hosts" file located in the windows\system32\drivers\etc folder (for WinXP), and edit that file with Notepad, add this line:
0.0.0.0 crl.verisign.com
Save the file and presto, no more pop up messages.

I just downloaded AVG anti-virus and it found a "TrojanDropper.small" virus and healed it.
I went back in to the "hosts" file and deleted the line above that I added. So far so good.

Sorry, left out the program which gave me the pop-up message.....Norton Internet Security. After receiving the message, I would choose "block" access and then Word or Excel would come up okay.

Well, it would appear that everything is pointing to Symantec as the culprit. Either intentially or as a bug in an update.

When I added crl.verisign.net/com to my Linksys firewall, it also blocked access to Yahoo mail. So I remeoved it from the Linksys and added it to ZoneAlarm and that seems to have done the trick. I also unchecked the MSOffice plug-in in Norton AntiVirus miscellaneous options.

The affected computers all seem to be back to normal now, both in terms of application launching speed, and no hits to/from crl.verisign.

As far as Verisign's bot telling me I'd have a response in eight hours, it's now closing in on 21 hours and I've heard nothing form them.

And for those who are wondering, running a WHOIS on crl.verisign.com/net brings up Verisign Infrastructure and Operations. Sounds clandestine to me. :-)

I developed the "crl.verisign.com dialout problem immediatly after a live update session on 1/7/04. I run Norton AV2002, NT4.0 & ZoneAlarm2.6.2. I suspected the AV2002 (with the new update). I completely removed AV2002 from my system & the auto-dialout problem is gone now. I too, suspect that the Norton people have made some kind of mistake.

Thanks for all the feedback. I am the one who mentioned to Michael about the strange IP hitting my router. I did alter the settings in IE - but not sure it would help since I use Firebird as my default browser.

I am running Norton Internet Security 2003 (AV and FW). I added the "crl.verisign.com" to my list of blocked addresses. When I went back to my router log, I noticed a new IP "6.94.110.11" - when I accessed this address, I noticed this is the same address as the original problem child, "198.49.161.206".(read original blog entry) At least, it had the same contents.

I am going to keep an eye on this and possibly switch AV if this persists. I appreciate all the feedback.

Dear People,

This is not a new problem. I have had the dial up on restart going on for a couple of years. The text of a snail mail today to Symantec UK follows (no useable/effective email address appears easily available for them).

It is interesting Symantec say this has only happened since 7th Jan - that may indicate there are several problems some older than others or Symantec does not appreciate how long some of these symptoms have existed.

Also, the Symantec document, Document ID:2004010810205113, (referred to in the snail mail) suggests the fix of deselecting the "Check for publisher's certificate revocation" option in 'Internet Options' in MS Windows control panel. That document also specifically refers to the Verisign connection:- "This issue appears to be related to VeriSign receiving an unusual number of requests by Windows-based clients to download a certificate revocation list (CRL) on January 7-8, 2004".

_____________________ SNAILMAIL TEXT NOW FOLLOWS_____________________________________

Symantec United Kingdom
Symantec (UK) Ltd.
Hines Meadow
St. Cloud Way
Maidenhead
Berkshire
SL6 8XB

Dear Sirs,

SYMANTEC ANTI-VIRUS/INTERNET SECURITY
Re - uncontrolled http://198.49.161.206/ accesses & unauthorised auto dialing on boot up

I would greatly appreciate your comments on the attached exchanges of emails which appear to involve your internet security products. I have experienced just these kinds of problems. If the problems do not emanate from your products, then someone else may have located and is exploiting security breaches in your security software products, giving rise to these ‘features’. Accordingly, whichever way one looks at this, whether these are faults in your software, or security breaches, then it is a serious matter.

Accordingly, I should be most obliged for comment on whether you believe these are faults/security breaches or, if not, what are they and what causes them. If they do relate directly or indirectly to your software, I should be most obliged to know what you may be doing/or have done, to correct them.

Is your internet support page solution:-

http://service1.symantec.com/SUPPORT/sharedtech.nsf/docid/2004010810205113

Document ID:2004010810205113

intended to relate to this issue? If so, then the page is in error referring to slowdowns after 7th January, as I have experienced this problem for a very very long time and only solve it by restoring a clean backup of the entire hard drive.

I look forward to hearing from you.

Dear People,

AN UPDATE

I can confirm deselecting the "Check for publisher's certificate revocation" option in 'Internet Options' in MS Windows control panel resolves the unauthorised auto dialing on boot up. This might or might not relate to Symantec products directly because disabling and preventing Norton Internet Security and Antivirus from starting does not prevent the unauthorised auto dialling on boot up issue.

However, that is not a new issue but has been going on a long time. Maybe the latest Symantec Live Update download of Symantec/Norton products has introduced something that exacerbates an existing problem.

I experienced the same problem after my NAV update on the 7th. Today's NAV update seems to have fixed the problem on my XP Pro system.

Prior to today's Live Update I saw the following apps going to the following addresses:

ccPwdSvc.exe.94.110.11
ccApp.exe - 64.94.110.11
ccEvtMgr.exe - 198.49.161.201
cfgwiz.exe - 198.49.161.202
nmain.exe - 198.49.161.205 and 198.49.161.200

explorer.exe - 198.49.161.200 (right click on file icon)
explorer.exe - 198.49.161.206

Dear People,

FURTHER UPDATE

If you search for "198.49.161.206" on Google and then when Google displays the results, select the option 'Find web pages that contain the term "198.49.161.206" '.

You will then see web pages reporting this problem (including these Michael Braly pages), such as:-

A) 25th August 2003 (in swiss/german),

B) 10th October 2003 (in Spanish and specifically identifying " 'Microsoft Word' from your computer wants to connect to crl.verisign.com
[198.49.161.206], port 80"),

C) 14th November 2003 (in spanish/hispanic, asking whether there might be a hacker in the writer's computer because he is surfing with http://proxy.guardster.com/ - which is meant to guarantee the surfer's privacy and but he found many ports were open and set out a listing of what appears to be the connection log).

ok, I unchecked the certivicate revoctaction, and rebooted, but at reboot, I ran active connections noticed this address in my list:

a166-90-148-198.deploy.akamaitechnologies.com

hmm, wonder what that is

oh I also have updated TODAY my Norton AV 2003

crl.verisgn.com

I too began experiencing these symptoms with MS officeXP apps. The app attempts to access the net to go to 64.94.110.11 (crl.verisign.com) and NAV attempts to do the same thing. I tried the firewall block and it worked for a day. This morning, it tried to go 64.94.110.12, also crl.verisign. Whois shows that verisign has the range of IPs from 64.94.110.0 - 64.94.110.255, so I firewall blocked them. It seems to have worked but the OfficeXP apps still take forever to load, like they are waiting to go to verisign and check to see if it is ok to load.

I have also noticed that my system attempts to connect to IP 10.229.80.97 (IANA.ORG) after it attempts to connect to verisign.com.

Any more ideas why this happening and how to remedy would be welcomed.

same problem here as you all know.. but when right clicking it either tries connecting to crl.microsoft.com and/or crl.verisign.com

i blocked it with sygate personal firewall pro and then it takes up to 3 minutes for me to do anything - then it happens again..

i did the uncheck in ie and that works.. nav2003

my 2 cents...

Refer to this url for the answer:
http://service1.symantec.com/SUPPORT/sharedtech.nsf/docid/2004010810205113

recent update

I located the following at verisign.com and symantec.com about the recent crl.verisign.com problems

http://www.verisign.com/corporate/news/2004/pr_20040109.html?sl=070807

http://service1.symantec.com/SUPPORT/sharedtech.nsf/docid/2004010810205113

Re the Verisign statement (http://www.verisign.com/corporate/news/2004/pr_20040109.html?sl=070807)

Very helpful. This also is helpful to give some idea of what is going on behind the innocent user's back. I am not keen on all sorts of different kinds of software in my computer (especially software that I have acquired otherwise than for internet purposes) going online behind my back without my knowledge or control. If I want bandits cyber crawling up my ports then that is my privilege, and whether I am too stupid to understand or not, but at least I should be given the choice of deciding.

What else is going on with under cover of this surreptitious software subterfuge?

Just one reason why I like ZoneAlarm. It not only can block incoming connections, but it notifies the user when an -out-bound connection is attempted. I use a LinkSys (hardware) Firewall, but that won't stop an app from phoning home. ZoneAlarm handles this quite nicely.

RE: PHONING HOME

Thanks Fred W, but the problem is that Norton Internet Security does the same, reports on and can block the connection, but if I stop the particular unrelated software "'phoning home", as you term it, things happen like downloading of email is prevented also or access to unrelated web pages is also, and to get the email to download of to see the pages, you have to allow the connection. This applies to numerous mainstream software applications and not some junk software downloaded from the internet. Anyone know what is going on? Antivirus reports no nasties on the system.

Regards,

Changed the settings in the ie as described. That helped: no requests to crl.verisign.com anymore. But my NAV is not willing to go into the Autoprotect-Mode anymore. Does anyone have a remedy for that? Thanks!

ok just gonna throw in my 2 cents as well ..

I was never prompted with the outbound connection, but I just noticed the same problem today : a CONSTANT established connection to crl.verisign.com (12.158.80.10:80)

The strange thing is that Im using norton firewall and the connection does not show when I view connection statistics with NIS. However, I ran 3dtraceroute's connection viewer and there it was .. twice! - one by a "system" process and one by SymProxySvc which is an NIS process. cute.

As suggested above, I went into browsers options security etc. unchecked certificate and rebooted. Voila. no more verisign.com connection from either process. So thanks for the tip.

but does anyone know why disabling certificate checking would stop the NIS process from connecting as well?

I read the above linked notice (http://www.verisign.com/corporate/news/2004/pr_20040109.html?sl=070807) but I'm still not clear on what the problem is (xp bug? norton bug? both?) .. or more specifically how to fix whatever the problem is.

ie How can I re-enable certificate verification while putting a stop to the constant connection that the two processes had been maintaining?

Any help would save at least 2 clumps of hair from being ripped out.

In the meantime I'll do some more diggin. If I do come up will anything valuable I'll post here.

Thanks,
Steve

I too have had this problem. So I thought, if Norton's update caused the problem, wouldn't it be logical that if I were to uninstall Norton, then re-install it and redo the updates, shouldn't this fix the problem. So that's what I did and so far so good. I can run everything normally as before.

Hope this helps you all....

DG

Sorry all.....uninstalling and reinstalling norton didn't worked as I thought...my system started doing it again..... :(

DG

Seems to me that a Certificate revocation list.. means that at any given time.. they can control what you can and cannot run on your computer. My suggestion.. block all attempts.

This topic affects MSOffice products running in Terminal Server environment - office applicaton is delayed up to 2 minutes (while applicacion is trying to contact crl.microsoft.com).

Disabling certificate revocation solves the problem. Thanks all for an idea.

Registry patch (user environment) looks like:

-------------------

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"CertificateRevocation"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing]
"State"=dword:00023e00

Ok kids, here's the low down.

crl.verisign.com is TRUSTABLE.

This site simply contains up-datable data about sites that've lost certificates. Really, try visting the address. It will give you an automatic directory listing of the files. Norton (among many others) use this benchmark revocation list as an added feature for a lot of their products (namely their security packages - i.e. Norton Internet Security, System Works, Personal Firewall, etc..) Don't get me wrong, their have been issues with this site, but I'd recommend NOT blocking it - unless you want to unknowingly conduct business with unsecured commerce centers.

To answer the question about attempts to connect to the internet upon windows startup

This occurs because the Symantec (or otherwise) client attempts to connect to the revocation list upon startup when the program is loaded. Subsequently, if the client is set to load at startup - you'll be asked to connect to the internet so the program is able to retrieve this list.

My computer also started trying to connect to crl.verisign.com when I boot. This started on jan 7 2004 one note my brothers computer does not.
His computers antivirus said a critical update that was done in dec 2003 was a timed delayed trojan and did not allow it to install. It is the only computer of the 4 we have that does not try to connect to the internet on bootup. The update came from microsofts windows update page.

the history lists kb819696 and directx 9b as the critical updates that failed to install hope this helps someone

So I did netstat -a...whats this verisign established connection..!!

Here's how I stopped it.
Go to Nortons website and download the update for live update

ftp://ftp.symantec.com/public/english_us_canada/liveupdate/lusetup.exe

install the file reboot

no more crl.verisign.net

less paranoia (maybe ;-)

That solution is fine if one's running Norton. People like me who uninstalled Symantec's products are also seeing this crl.verisign.com pop-up. This just shows how much hidden traces Symantec leaves behind after an uninstall of their a-v or Systemworks products.

im having this same problem, i just updated the setup, its april, and same prob... dang, BIG SLOW DOWN of my trial of NAV. this sucks...

by the way, maybe i didnt make my last post clear, im running win2002 pro and its neediing to dialup at reboot almost everytime.. seems like a spy to me, i deal with spy's and virus every day as i remove them for a living right now.

Now my antivirus isnt coming up at startup anymore at all, and my computer is dumping memory and shittung down(haha good mispelling)during virus scan. i will mention that my firewall blocked an attack of a SbuSeven trojan back door attack, im thinking it got thru somehow..

I have the same problem. The ie options,advanced,security-uncheck first two.Fix works. Blocking it with zone-alarm,Also works. My problem not only occurres when I start-up shut- down. But when I click onna' "norton" anything. I don't think disabling the certificate's is a very good idea. This problem started after the Jan-7th update. ```And I've tried everything. From uninstalling-reinstalling.Format partition-clean install everything. Zero write drive. (And everything again.) The problem seems to start with the last norton utilities update.(But everyone else might not have had the same experence) My question is: Why hasn't symantec or verisign, fixed the problem. I've used norton for years I would not like having to give them up because of this. Also should I delete or get rid of the offending program.(Norton AV acccording to process explorer)I've also had a packet sniffer on it.(I can't read em' so I've found nothing very suspicious) Is there a way of simply disconnecting the dailer from norton. Or will that just crash norton.cause it not to update or ??(Also I start norton 2002 manualy before logon) Thank-you for your patients."Clay" PS I'll keep watching this thread.Thanks

I tried the reciepe posted By Terry (Above) It works for me.(Sofar)Thank you all Thank-you for a wonderfull site. "Clay"