Locating application with embedded engine

5 posts, 0 answers
  1. Eric
    Eric avatar
    2 posts
    Member since:
    Nov 2012

    Posted 22 May 2014 Link to this post

    I'm working with the owner of the firm where I work to track down the source of "DO_NOT_TRUST_FiddlerRoot" certificates that keep accumulating in his Personal cert store. We've also identified the "DO_NOT_TRUST_FiddlerRoot" dummy CA cert in his "Trusted Root Certification Authorities" store. We've been able to confirm that he does not have the Fiddler application installed on this computer. We've also been unable to find any of the FiddlerCore DLLs on his hard drives. Which leads me to believe that the FiddlerCore DLL has been merged into a stand-alone executable by using something like ILMerge.

    We have a general idea of when the dummy CA cert was created, so we're starting to look at applications (particularly applications in the system's Startup folders) which were installed right about that time. But the question for the forum: is there any quick or easy way to identify which applications may have the FiddlerCore engine embedded in them?

    Thanks in advance for any advice, suggestions!
  2. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 22 May 2014 Link to this post

    Hello, Eric--

    Sorry to hear about this.

    Yes, if I had to guess, I'd guess that the user in question inadvertently installed a product called "Browser Safeguard" which is likely now bundled with a variety of other freeware applications as the primary Browser Safeguard installer is now blocked as "Unwanted software" by Microsoft's SmartScreen service and other security products. Browser Safeguard does indeed ILMerge a pre-Telerik version of FiddlerCore.dll into its primary assembly.

    I've asked our legal team to look into this subject.

    Thanks,
    Eric Lawrence
    Telerik
     

    Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.

     
  3. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 22 May 2014 Link to this post

    Hi, Eric--

    I should also mention that, if the certs "keep accumulating" that implies that the tool in question is still active. Have a look at IE's Tools > Internet Options > Connections > LAN Settings to see if the proxy is set and if so, what port it's on. Then use NetStat -o or a similar command to see what process is listening on that port and you'll have found the culprit.

    Regards,
    Eric Lawrence
    Telerik
     

    Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.

     
  4. Eric
    Eric avatar
    2 posts
    Member since:
    Nov 2012

    Posted 22 May 2014 Link to this post

    Hi Eric,

    Thank you for the suggestion. I've been using the demo application that comes with FiddlerCore to test the procedure you suggested, and it works like a charm! I need to write up some directions for my boss so he can perform those steps.

    Related question: some other testing I've performed suggests that if I were to just remove the "DO_NOT_TRUST_FiddlerRoot" dummy CA cert -- at least while the proxy is running -- from the cert store, further attempts to access sites via HTTPS will fail. That appears to be caused by the proxy wanting to generate a new site cert, but no longer has the CA cert available to sign the site cert. Is that analysis correct, and would killing the proxy allow HTTPS to flow normally?
  5. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 23 May 2014 Link to this post

    Hi, Eric--

    Resetting (clearing) the user's proxy settings is the best way to ensure you'll get traffic to flow; if you simply kill the proxy process or delete its certificates, the browser will likely attempt to continue to try to use the (partially or completely) broken proxy and the browser traffic will fail.

    You will want to kill the proxy process too though (to ensure that it can't either change the user's proxy settings and/or recreate the CA certificate, either of which it could technically do at any time).

    Regards,
    Eric Lawrence
    Telerik
     

    Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.

     
Back to Top