Increased Number of "SSL connection with invalid certificate detected" Events

[always_working]

Hi all,

I've been getting an increase in these events as of late (including three times in a row nearly back-to-back a few days ago) and the object names all include footprintdns.com.

I get these at seemingly random times and not only when surfing the web.  As you can see in the event details included below, the application name is sometimes SearchApp.exe (which shows as Windows OS when the Kaspersky pop-up appears) while others are chrome.exe. 

Kaspersky advised me to clear cookies and cache which I've done...but the issue persists.  I'm on Windows 10 Pro.

I'd like to understand why I'm getting these.  Of course, I want to learn in general but no one seems to really know the exact purpose of these domains exactly.  It's been stated that it pertains to Microsoft DNS tracking while it's also been said that it may be related to the Outlook desktop client.

I did find an informative link here:

https://josh.st/2018/07/12/footprint-dns/

Is it worth blocking the atmrum.net domain (and related subdomains) as referenced at the above link to reduce these events or will this negatively impact the OS functionality somehow?

Either way, does anyone know why one would suddenly start getting so many of these and what they mean?  I spent some time learning about and have a general understanding of the event type itself...but I don't fully understand it.  I also don't know why they would be so frequent all of a sudden.

Lastly, is the safest course of action to "ignore and remember"?  I've read conflicting views on this as well.  It doesn't seem wise to add to exclusions.

Can anyone with some more knowledge perhaps help explain this?  I've spent a fair amount of time on this but am hoping for some clarification.

As mentioned, some example events are below.

Any thoughts would be sincerely appreciated!

 

Event: SSL connection with invalid certificate detected
User type: Not defined
Application name: SearchApp.exe
Application path: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy
Component: Safe Browsing
Result description: Blocked
Object name: tring.clo.footprintdns.com
Reason: Invalid certificate name. The name is not included in the list of allowed names or is explicitly excluded from it.

 

Event: SSL connection with invalid certificate detected
User type: Not defined
Application name: SearchApp.exe
Application path: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy
Component: Safe Browsing
Result description: Blocked
Object name: moiafdaws.clo.footprintdns.com
Reason: Invalid certificate name. The name is not included in the list of allowed names or is explicitly excluded from it.

 

Event: SSL connection with invalid certificate detected
User type: Not defined
Application name: chrome.exe
Application path: C:\Program Files\Google\Chrome\Application
Component: Safe Browsing
Result description: Blocked
Object name: dnsfootprint.com
Reason: Invalid certificate name. The name is not included in the list of allowed names or is explicitly excluded from it.

[Berny]

@always_working

Please see  → Certificate verification problem detected

[always_working]

8 minutes ago, Berny said:

@always_working

Please see  → Certificate verification problem detected

Thank you for sharing that link as it was definitely worth revisiting.

Why do they all pertain to footprintdns all of a sudden, though?  What exactly is that domain doing anyway?  If it's related to Microsoft DNS tracking, it doesn't make sense to me that such a behemoth would allow invalid certificates for all these related domains.  It seems suspect to me and I was initially worried that I had been hacked or something due to the frequency.

I didn't change any settings. 

Is it worth trying to block the domains via firewall or otherwise or might that impact OS functionality?

[Berny]

@always_working

Please see  Qualys SSL Labs  report → dnsfootprint.com

Spoiler

Certificate name mismatch
We were able to retrieve a certificate for this site, but the domain names listed in it do not match the domain name you requested us to inspect. It's possible that:

• The web site does not use SSL, but shares an IP address with some other site that does.
• The web site no longer exists, yet the domain name still points to the old IP address, where some other site is now hosted.
• The web site uses a content delivery network (CDN) that does not support SSL.
• The domain name is an alias for a web site whose main name is different, but the alias was not included in the certificate by mistake.

 

[always_working]

1 hour ago, Berny said:

@always_working

Please see  Qualys SSL Labs  report → dnsfootprint.com

  Hide contents

Certificate name mismatch
We were able to retrieve a certificate for this site, but the domain names listed in it do not match the domain name you requested us to inspect. It's possible that:

• The web site does not use SSL, but shares an IP address with some other site that does.
• The web site no longer exists, yet the domain name still points to the old IP address, where some other site is now hosted.
• The web site uses a content delivery network (CDN) that does not support SSL.
• The domain name is an alias for a web site whose main name is different, but the alias was not included in the certificate by mistake.

 

Thanks again for your continued knowledge and assistance.  The other two domains in the events above, though, do show active servers.  This also doesn't tell me why I'm getting these related events repeatedly and what it means.

SearchApp.exe is on all Windows Operating Systems, as I understand it, and I don't see such events with these related object names on my other two computers...and I don't like not knowing why it's happening all of a sudden or what it's doing when I didn't change any settings. 

[Schulte]

Hello @always_working,

the domain seems to belong to Microsoft. It keeps popping up in various forums for years, no one really knows what it is used for. Requests to the domain seem to be more often related to Office 365.
Many users have blocked the domain, either by hosts or by firewall. It does not seem to have any negative consequences.

I can only assume that with the last Windows update a change was made without adjusting the certificate.
Clarification could possibly bring a request to Microsoft support, but they rarely answer such questions.

[always_working]

16 minutes ago, Schulte said:

Hello @always_working,

the domain seems to belong to Microsoft. It keeps popping up in various forums for years, no one really knows what it is used for. Requests to the domain seem to be more often related to Office 365.
Many users have blocked the domain, either by hosts or by firewall. It does not seem to have any negative consequences.

I can only assume that with the last Windows update a change was made without adjusting the certificate.
Clarification could possibly bring a request to Microsoft support, but they rarely answer such questions.

Thanks for your reply!

I don't have Office 365 but I do have the newest Outlook client.  Perhaps that's it since it's just on the one computer.

The latest update would also make sense.  In fact, now that you mention it, I did get one of those pop-ups when clicking on "Update" to ensure I had the latest one.  I found that odd at the time.

Any thoughts as to the best way to block the domain and related subdomains using Kaspersky Premium?  The link above suggests blocking the atmrum.net domain (and related subdomains).

[always_working]

I got it from here! 

Thanks so much for your help Berny and Schulte!

It is appreciated.