Eraser 6.0.7.1893 tries to connect to RIPE NCC?

[sarag]

When I right-click a file and choose to erase it, Eraser tries to connect to an IP address that seems to resolve to the RIPE NCC in Amsterdam. My firewall software alerts me to this attempt. Thus far I have blocked it because I don't know why it is doing this. It seems unnecessary.

Why does Eraser try to connect to the Internet at all, when it is just being used? What is it trying to do on the Internet? How can I tell it not to do that?

Thank you.

 

[DavidHB]

I cant speak for the particular IP address, but Eraser uses Windows Root Certificates to validate its plugins. So, when validation is requested, and the requisite confirmation is not recorded on the computer, Windows (rather than Eraser itself) connects to the net to get the necessary validations.

Once the validation is in place, attempts to connect cease, and, as I said, Eraser itself does not connect at all.

David

 

[sarag]

My firewall software says the request to connect comes from Eraser.exe, not from some file that I'd consider part of Windows (i.e., supplied by Microsoft). The address to which it tries to connect is 213.222.193.191, over TCP to port 80.

This just seems odd and unexpected. If a Root Cert is missing, it would be interesting to know which one is being sought at that address. I'm used to apps that use Verisign and Thawte CAs, for example; this seems to be something else.

More info would be helpful. Thanks. -- Sara

 

[DavidHB]

My firewall software says the request to connect comes from Eraser.exe, not from some file that I'd consider part of Windows (i.e., supplied by Microsoft). The address to which it tries to connect is 213.222.193.191, over TCP to port 80.

I can't of course speak for the method your firewall uses to determine the source of the request. Joel will be able to confirm this, but I assume that Eraser is simply calling a normal Windows service. As you probably know, port 80 is the normal server 'listening' port, so there is nothing unusual in that.

If a Root Cert is missing, it would be interesting to know which one is being sought at that address. I'm used to apps that use Verisign and Thawte CAs, for example; this seems to be something else.

Eraser uses Certum; I think that the connection is for the purpose of validation. I suggest you search the forum on 'root certificates' to see what Joel has said on the subject, particularly on the need for code signing.

It is worth pointing out, that the use of Root Certificates is included in Eraser 6 as a security feature. The last thing any of us would want would be a program with Eraser's capabilities hosting a rogue plugin.

David

 

[Joel]

My firewall software says the request to connect comes from Eraser.exe, not from some file that I'd consider part of Windows (i.e., supplied by Microsoft). The address to which it tries to connect is 213.222.193.191, over TCP to port 80.

http://bbs.heidi.ie/viewtopic.php?f=2&t=6075. It seems that only Comodo complains of it. As far as the OS is concerned, Eraser is the one connected (as it is linking to a System DLL, but the connection comes from the address space of the Eraser process) but the connection etc are all done by the system library.

This just seems odd and unexpected. If a Root Cert is missing, it would be interesting to know which one is being sought at that address. I'm used to apps that use Verisign and Thawte CAs, for example; this seems to be something else.

More info would be helpful. Thanks. -- Sara

It's not that a Root Cert is missing. I believe it is connecting to the Certum server to obtain a Certificate Revocation List (CRL.) CRLs are lists which state the serial numbers of certificates which have been revoked from public access, i.e., a certificate recall. This can be due to a few reasons, such as a private key compromise, a superseded certificate, or some certificate holder turning out to be malicious. I'd leave it to connect on its own (of course, I don't use Comodo)