Jump to content

Attempt to add root cert. Failed


Recommended Posts

Also and unless Eset change this option in regards to this:

16 minutes ago, itman said:

In this instance, you can disable Eset SSL/TLS scanning for the app by setting the app status in "List of SSL/TLS filtered applications" Scan Action to "Ignore."

You have to manually store the web site the certificate as shown below, or do as @Marcos posted and set SSL/TLS filtering to Interactive mode and have Eset auto create the web site certificate:

Eset_Ignore.thumb.png.8670bce1221447922bf2dcc269b217c7.png

Link to comment
Share on other sites

8 hours ago, Marcos said:

In order to investigate the issue, please provide:

- Logs collected with ESET Log Collector when the error occurs
- A Procmon log from time when you disable and re-enable SSL filtering after a reboot. Stop logging when an error importing the root certificate pops up.

Whats a Procmon log?

Link to comment
Share on other sites

10 hours ago, Marcos said:

In order to investigate the issue, please provide:

- Logs collected with ESET Log Collector when the error occurs
- A Procmon log from time when you disable and re-enable SSL filtering after a reboot. Stop logging when an error importing the root certificate pops up.

As requested:  Also removed and reinstalled ESET - no change.  2 events occurred at 11:46:24

procmon.zip eis_logs.zip

Link to comment
Share on other sites

It appears to me this "AN ATTEMPT TO ADD THE ROOT CERTIFICATE TO ALL KNOWN BROWSERS FAILED" message is being generated when Eset can't access Chrome's or FireFox's certificate store to verify that the Eset certificate is installed. As has been noted, the Eset certificate actually exists in these browsers and yet the Eset log event keeps recurring. This activity would be indicative of some type of permissions issue in regards to Eset accessing either Chrome or FireFox internally. Is Chrome's or FireFox's sandbox feature enabled by anyone having this issue?

Edited by itman
Link to comment
Share on other sites

49 minutes ago, itman said:

It appears to me this "AN ATTEMPT TO ADD THE ROOT CERTIFICATE TO ALL KNOWN BROWSERS FAILED" message is being generated when Eset can't access Chrome's or FireFox's certificate store to verify that the Eset certificate is installed. As has been noted, the Eset certificate actually exists in these browsers and yet the Eset log event keeps recurring. This activity would be indicative of some type of permissions issue in regards to Eset accessing either Chrome or FireFox internally. Is Chrome's or FireFox's sandbox feature enabled by anyone having this issue?

When Eset was installed here on Windows 10 Chrome was the release version with a standard installation. Firefox was the beta version as well as a nightly release both with the standard installation. I do not remember enabling any sandbox option in either browser. Both browsers are of course still installed here but Eset remains uninstalled for now. Is there no way of Eset indicating which browser it has cert installation issues with?

With me I am always testing/trying new browsers and currently have 3 versions of Edge (Win10 native plus 2 Chromium pre releases) along with Chrome, Brave beta  and Firefox plus Windows10 IE.

Edited by pcguy
Link to comment
Share on other sites

2 hours ago, justme12 said:

As requested:  Also removed and reinstalled ESET - no change.  2 events occurred at 11:46:24

procmon.zipUnavailable eis_logs.zipUnavailable

OK thanks for that info. Was debating on whether to retry the reinstall to see if it fixes the issue but it apparently does not. Are you using any additional security software like Malwarebytes Pro like I am on Windows10 Pro?

Edited by pcguy
Link to comment
Share on other sites

No, just ESET and OSARMOR  of which I had no notifications and also uninstalled. I am using  64 bit FFox, Chrome, Brave ( no beta) Edge and Edge Dev. Win Pro 10. Funny thing is I have an MS Surface Pro tablet with the same setup and NO problem with ESET!!!!!

As a last resort, I may do this weekend a clean install of Win 10.

ESET can be complicated with advanced settings, but one should not have to go to this juncture to have the program function.

If this fails, seriously reconsidering another suite. 

Link to comment
Share on other sites

As I said in a prior post I wonder how many other systems that logs are being filled with these types of errors and the computer owners have no idea that its occurring? I just happen to stumble across it yesterday. I had been using Windows 10 without Eset on multiple systems with Windows10 and I am now wondering if the reason why its been happening for 2 months here which was the only one with Eset was because that was when Eset was installed in Windows10.

I have been using Eset for years and had recommended it to clients and friends in the past. Going to have to touch base with some users to see if in fact this is a wide spread issue.

Edited by pcguy
Link to comment
Share on other sites

To begin with, I have never had FireFox installed on any Win 10 build on my PC. It currently has x(64) 1809 installed. As such, I have no old and possibly borked Firefox files and registry entries from prior versions of it, etc..

To get to the bottom of this current FireFox baloney in regards to EIS 12.1.34, I went to the Firefox web site and downloaded and installed it. I believe the current ver. is 66. I then opened FireFox and checked what certificates were stored in its Authorities certificate store. Eset's root CA certificate was not there as expected.

I then rebooted the PC to try to simulate the behavior posted in this thread; namely if  "AN ATTEMPT TO ADD THE ROOT CERTIFICATE TO ALL KNOWN BROWSERS FAILED"  alert/log entry would manifest. It did not.

I then again checked what certificates were stored in its Authorities certificate store. Eset's root CA certificate was there as expected: 

Eset_Firefox.thumb.png.9d9f6fe19f81b31dc7c9f9dceeb04392.png

Finally, I rebooted again to see if I could see if Eset would created the  "AN ATTEMPT TO ADD THE ROOT CERTIFICATE TO ALL KNOWN BROWSERS FAILED"  alert/log entry. It did not.

All this leads me to believe that whatever is causing this behavior on user's PC's has nothing directly to do with the Eset installation but rather, some misconfiguration issued with their current Firefox installation.

I would advise uninstalling Firefox, clearing out all past remnants of it on your OS installation, and rebooting. Then install the current version of Firefox from the Mozilla web site and repeating the installation steps I posted above. As far as running development or beta versions of Firefox concurrently with Eset, you do so at your own peril; just like if you were running a pre-release ver. of Win 10. 

Edited by itman
Link to comment
Share on other sites

59 minutes ago, justme12 said:

No, just ESET and OSARMOR  of which I had no notifications and also uninstalled. I

Be careful of OSArmor. Its kernel mode driver has had past issues with Eset; namely the HIPS but new protentional conflicts could be with AMS and the new deep behavioral inspection protection. Also, OSArmor doesn't always uninstall cleanly and completely. This plus the fact the software is developed and maintained by a small developer has lead me to the believe it is not needed with Eset. I do use some its "living of the land" protections in equivalent Eset user HIPS rules. 

Link to comment
Share on other sites

1 hour ago, itman said:

To begin with, I have never had FireFox installed on any Win 10 build on my PC. It currently has x(64) 1809 installed. As such, I have no old and possibly borked Firefox files and registry entries from prior versions of it, etc..

To get to the bottom of this current FireFox baloney in regards to EIS 12.1.34, I went to the Firefox web site and downloaded and installed it. I believe the current ver. is 66. I then opened FireFox and checked what certificates were stored in its Authorities certificate store. Eset's root CA certificate was not there as expected.

I then rebooted the PC to try to simulate the behavior posted in this thread; namely if  "AN ATTEMPT TO ADD THE ROOT CERTIFICATE TO ALL KNOWN BROWSERS FAILED"  alert/log entry would manifest. It did not.

I then again checked what certificates were stored in its Authorities certificate store. Eset's root CA certificate was there as expected: 

 

All this leads me to believe that whatever is causing this behavior on user's PC's has nothing directly to do with the Eset installation but rather, some misconfiguration issued with their current Firefox installation.

I would advise uninstalling Firefox, clearing out all past remnants of it on your OS installation, and rebooting. Then install the current version of Firefox from the Mozilla web site and repeating the installation steps I posted above. As far as running development or beta versions of Firefox concurrently with Eset, you do so at your own peril; just like if you were running a pre-release ver. of Win 10. 

First this installation of Windows 10 and in turn all of the applications in my case is less than 5 months old. 

Second how was it determined that in fact this is due to Firefox browser and not another browser. As I mentioned elsewhere in this thread every browser I could check (except for MS Edge) appears to have the appropriate cert installed in the browser's Authorities certificate store. In the case of Firefox I even resorted to importing the cert with no effect on the error.

As I write this I have not yet decided what my next step is regarding Eset as it is still uninstalled. If I uninstall Firefox beta and uninstall Firefox nightly, install Eset antivirus are you saying that this error is no longer going to occur?

Edited by pcguy
Link to comment
Share on other sites

32 minutes ago, pcguy said:

As I mentioned elsewhere in this thread every browser I could check (except for MS Edge) appears to have the appropriate cert installed in the browser's Authorities certificate store.

Both IE11 and Edge use the Windows root CA certificate. I have no idea what this new Edge Chromium based browser uses, but expect the same for that.

34 minutes ago, pcguy said:

If I uninstall Firefox beta and uninstall Firefox nightly, install Eset antivirus are you saying that this error is no longer going to occur?

If you're referring to FireFox nightly as the current ver. downloaded from the Mozilla web site, that is the version to install. You would first have to remove all traces of existing FireFox versions installed prior to this. No need to uninstall Eset; at least at this point.

As far as full SSL/TLS scanning support for browsers other than IE11, Edge, Chrome, and Firefox, I am unsure. I would think it would at most mirror the scanning currently performed for non-browser processes. For example, I would imagine that Eset would not be able to inject its root CA certificate into those browsers associated root CA certificate store if so deployed. If one was using the Pale Moon browser for example and it did not use the Windows root CA certificate store, I assume Eset would ignore it as far as trying to create its own root CA certificate in Pale Moon. However, having a like non-supported Eset browser installed might be one reason for Eset's  "AN ATTEMPT TO ADD THE ROOT CERTIFICATE TO ALL KNOWN BROWSERS FAILED"  alert/log entry.

Link to comment
Share on other sites

2 hours ago, itman said:

To begin with, I have never had FireFox installed on any Win 10 build on my PC. It currently has x(64) 1809 installed. As such, I have no old and possibly borked Firefox files and registry entries from prior versions of it, etc..

To get to the bottom of this current FireFox baloney in regards to EIS 12.1.34, I went to the Firefox web site and downloaded and installed it. I believe the current ver. is 66. I then opened FireFox and checked what certificates were stored in its Authorities certificate store. Eset's root CA certificate was not there as expected.

I then rebooted the PC to try to simulate the behavior posted in this thread; namely if  "AN ATTEMPT TO ADD THE ROOT CERTIFICATE TO ALL KNOWN BROWSERS FAILED"  alert/log entry would manifest. It did not.

I then again checked what certificates were stored in its Authorities certificate store. Eset's root CA certificate was there as expected: 

Eset_Firefox.thumb.png.9d9f6fe19f81b31dc7c9f9dceeb04392.png

Finally, I rebooted again to see if I could see if Eset would created the  "AN ATTEMPT TO ADD THE ROOT CERTIFICATE TO ALL KNOWN BROWSERS FAILED"  alert/log entry. It did not.

All this leads me to believe that whatever is causing this behavior on user's PC's has nothing directly to do with the Eset installation but rather, some misconfiguration issued with their current Firefox installation.

I would advise uninstalling Firefox, clearing out all past remnants of it on your OS installation, and rebooting. Then install the current version of Firefox from the Mozilla web site and repeating the installation steps I posted above. As far as running development or beta versions of Firefox concurrently with Eset, you do so at your own peril; just like if you were running a pre-release ver. of Win 10. 

Looks like your idea worked!  Uninstalled all ov FireFox with Revo Uninstaller Pro. Rebooted several times and nothing in event log. Reinstalled FF and noted the certificate was not there - rebooted. Certificate now loaded. Nothing in event log.

Disabled and enabled SSL filter with reboots. Still event log not containing the topics error.

*** Now what concerns me. Is there a simple way notifying of the event?  How often do people view their logs if they view at all. 

Link to comment
Share on other sites

12 minutes ago, justme12 said:

*** Now what concerns me. Is there a simple way notifying of the event?  How often do people view their logs if they view at all. 

Exactly why I am wondering how many other Eset users logs are full of this error and they have no clue that this is happening. 

it is too bad that Eset is also generating such a generic error message without identifying the browser it is having an issue with. It would help reduce the countless hours of hunting blindly. It is not uncommon these days with Windows 10 to have multiple browsers installed.

Why did you resort to uninstalling  Firefox using a Pro version of Revo. Have you attempted to uninstall Firefox using the normal means in Windows10 via the control panel? What version of Firefox did you have installed by the way?

Edited by pcguy
Link to comment
Share on other sites

22 minutes ago, justme12 said:

*** Now what concerns me. Is there a simple way notifying of the event?  How often do people view their logs if they view at all. 

BTW - which Eset Event Log was full of these entries; no one ever mentioned that? Also a posting of the actual event log entries would have been helpful.

Link to comment
Share on other sites

23 minutes ago, itman said:

BTW - which Eset Event Log was full of these entries; no one ever mentioned that? Also a posting of the actual event log entries would have been helpful.

I had 2 months of log entries which repeatedly showed the same error message along with the updates to virus definitions but that was it in the logs. I had no clue to notification whatsoever that this issue even existed.

I just stumbled across the issue because I went to the Eset logs looking for information to rely to someone about a Pup alert for a website. Only then did I discover approximately 1700 entries a vast majority of them being these alerts about Attempt to add root cert. Failing. Only other entries in the log was the regular definition updates.

Link to comment
Share on other sites

 
 
 
2
19 hours ago, Marcos said:

In order to investigate the issue, please provide:

- Logs collected with ESET Log Collector when the error occurs
- A Procmon log from time when you disable and re-enable SSL filtering after a reboot. Stop logging when an error importing the root certificate pops up.

NOD32 was still uninstalled.

I uninstalled Firefox Nightly and Firefox Beta via WIndows 10 Remove Apps option in Control center. I then rebooted

I then installed Eset 12.1.34 and rebooted. Right off the bat the error regarding cert error showed up in the log files even before I was able to disable TLS.

I disabled TLS rebooted. I started Procmon up and captured the events and then enabled TLS and like clockwork, the log showed the same CERT error. This all happened without any Firefox browser installed in WIndows10.

I can not attach the logfiles here due to the size of the Procmon files. I have uploaded them elsewhere and can provide a link.

Link to comment
Share on other sites

Zip the Procman files and they will be small enough to attach if you want to send to ESET tech.

I had the same results as you yesterday when I removed FFox.  HOWEVER: today I downloaded Revo uninstaller Pro and removed way more FF reg values than the normal uninstall of FF accomplishes.  THAT seems to have done the trick. I have no more events.

Though I don't see why one has to go through this whole process.  ESET should install regardless and if there is an issue give notice. Must say, I have lost considerable confidence in the software as from a TLS issue that may have left one vulnerable and never knowing unless looking at the logs and then google researching what they mean. 

Link to comment
Share on other sites

4 minutes ago, justme12 said:

Zip the Procman files and they will be small enough to attach if you want to send to ESET tech.

I had the same results as you yesterday when I removed FFox.  HOWEVER: today I downloaded Revo uninstaller Pro and removed way more FF reg values than the normal uninstall of FF accomplishes.  THAT seems to have done the trick. I have no more events.

Though I don't see why one has to go through this whole process.  ESET should install regardless and if there is an issue give notice. Must say, I have lost considerable confidence in the software as from a TLS issue that may have left one vulnerable and never knowing unless looking at the logs and then google researching what they mean. 

Oh ok thanks for that tidbit. Will indeed try the Revo Uninstaller Pro use with Firefox still uninstalled and sigh again redo the log collection yet again if the issue still occurs after the cleaning with Revo.

 

Link to comment
Share on other sites

Just remember, uninstall FF using Revo PRO in Advanced mode deleting all.  Reboot and install FF and you will see NO Eset Cert.

Reboot and check FF and the cert should now be there. Now check your event log.

Link to comment
Share on other sites

Quick thought.  If as you say your going to try REVO with FF uninstalled, I don't know if it would catch any remaining values.

You may have to reinstall FF and THEN use REVO  for a complete clean.

Link to comment
Share on other sites

I am about to give up on Eset.  Since using the normal uninstall of firefox beta and nightly rebooting and installing NOD32 proved to not solve the problem I reinstalled FF beta and then used Revo Uninstaller Pro to delete all traces of firefox from registry and Win10. I ensured that TLS was disabled. Rebooted started up procmon and sure enough, as soon as I re-enabled TLS the error occurred at 10:12 PM.  

I currently do not have the strength nor desire to install Firefox Nightly reinstall uninstall and test today so I am attaching the Procmon and ESET log gather files

NOD32CertError.zip eav_logs.zip

Link to comment
Share on other sites

  • Administrators

@Justme12: In your case the problem is most likely a non-existing Comodo profile folder C:\Users\psavi\AppData\Roaming\Comodo\CSS\User Data-firefox1 which is, however, referenced in C:\Users\psavi\AppData\Roaming\Mozilla\Firefox\profiles.ini.

Please back up profiles.ini and with Firefox closed remove the section belonging to the non-existing profile.

Link to comment
Share on other sites

12 minutes ago, Marcos said:

@Justme12: In your case the problem is most likely a non-existing Comodo profile folder C:\Users\psavi\AppData\Roaming\Comodo\CSS\User Data-firefox1 which is, however, referenced in C:\Users\psavi\AppData\Roaming\Mozilla\Firefox\profiles.ini.

Please back up profiles.ini and with Firefox closed remove the section belonging to the non-existing profile.

Thank you Marcos.  See my previous post. Looks like Revo uninstaller removed the folder content you mentioned.

All is fine now.

"

I had the same results as you yesterday when I removed FFox.  HOWEVER: today I downloaded Revo uninstaller Pro and removed way more FF reg values than the normal uninstall of FF accomplishes.  THAT seems to have done the trick. I have no more events.

Though I don't see why one has to go through this whole process.  ESET should install regardless and if there is an issue give notice. Must say, I have lost considerable confidence in the software as from a TLS issue that may have left one vulnerable and never knowing unless looking at the logs and then google researching what they mean. "

  •  
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...