SonicWALL: "Fraudulent Microsoft Certificate Blocked" (Symantec) 1

[ErrolHolt]

Has anyone found a solution for the dozens of "Fraudulent Microsoft Certificate Blocked" alerts that are hitting our firewalls (SonicWALL).

These alerts are triggered by Symantec / Norton AntiVirus updates and they began firing around the 9th of January, 2004.

The source addresses of these alerts consist of the following four (4) addresses:

12.158.80.10 crl.verisign.com
64.94.110.11 crl.verisign.com
64.94.110.12 SPAMMERSAREBAD.EUQINOM.COM
198.49.161.200 crl.verisign.com

I am aware of the following notice from VeriSign but I do not understand why these alerts still continue to trigger when thick clients periodically run their scheduled Symantec / Norton AntiVirus updates:

VeriSign Update on Certificate Revocation List Expiration

http://www.verisign.com/corporate/news/2004/pr_20040109...

Any ideas?

Thanks in advance!

Errol

 

[RadioActiveLamb]

I get the same thing here. In addition to this "alert", we are also getting a "Possible Port Scan - Source:12.158.80.10, 80". I don't know what's causing it, but I cannot bring-up the NAV console on this particular computer. We're running NSW 2003 on it.


Jeff Lamb

 

[rfryklund]

I am also getting the Fraudulent Microsoft Certificate as well as port scans from 12.158.80.10 and 64.94.110.11. I have an open service request with sonicwall and will let you know of any updates

 

[BobLubold]

I am having the same issue. Anyone figure this out yet?

 

[ErrolHolt]

Not me (we are still getting these alerts).

All we have determined thus far is that they are triggered
by Symantec / Norton AntiVirus LiveUpdate activity on nodes
protected by the SonicWALL.

 

[Kennlong]

Which model SonicWall firewalls are having this issue?

kenn l

 

[RadioActiveLamb]

Sonicwall PRO/VX with 6.4.2.0 firmware. We're not using the 6.5.0.4 firmware since we've found an incompatibility with one of our services.

Jeff Lamb

 

[scountry]

We are getting these as well. Currently we run an older Sonicwall Pro/200.

Scott Countryman

 

[pdperry]

Even the latest firmwear doesn't handle it. It's nice that the sonciwall (soho3) stops them, but it would be nicer to make it go away!

 

[netranger363]

I am using SonicOS Standard 2.0.0.0 (SOHO TZW) and get the same alerts. Does anyone know if this malicious or just a bug with Symantec?

 

[ErrolHolt]

Fraudulent Microsoft Certificate Blocked" alerts are still plaguing our SonicWALL units by the hundreds.

Has anyone found a solution for these notices?

We know that these alerts are triggered by Symantec / Norton AntiVirus updates and that they began firing around the 9th of January, 2004.

The source addresses of these alerts consist of the following four (4) addresses:

12.158.80.10 crl.verisign.com
64.94.110.11 crl.verisign.com
64.94.110.12 SPAMMERSAREBAD.EUQINOM.COM
198.49.161.200 crl.verisign.com

I am aware of the following notices from VeriSign but I do not understand why these alerts would still trigger when any of the thick clients periodically run their scheduled Symantec / Norton AntiVirus updates:

VeriSign Update on Certificate Revocation List Expiration

http://www.verisign.com/support/pr-crl.html

http://www.verisign.com/corporate/news/2004/pr_20040109.html

http://www.verisign.com/corporate/news/2004/pr_20040112.html

http://www.verisign.com/repository/crl.html

Any ideas?

Thanks in advance!

Errol

 

[ReggieD]

I'm seeing the same blocked messages in my SonicWall Pro 200, but the message appears to be coming from MS-Word 2002 (Office XP?). I do not have any Norton/Symantec software running. We are seeing on more than one workstation at this time and are trying to track down a solution.

 

[Cytrine]

I have been getting these same messages for months everytime I open Outlook on the machine that I have configured to receive alerts. The messages are logged from various PC's throughout my network, but always come from the same addresses that are listed in this thread. I have a SonicWall Pro 200, and I opened a ticket with Sonicwall to try to get to the bottom of why these error's are occurring.

Sonicwall support has been great in the past, but in this matter they really stunk. First they told me to download beta firmware to solve the problem, which completely made my firewall unoperable, causing me hours of downtime because I could not reload without resetting the device. They sent the firmware to Layer3 engineering support to determine the problem, and then wrote back to me several weeks later that the new firmware would never be made available for the Pro model. It is however available to some of the other models, so if it is available for the model that any of you have, I would try it to see if it solves your problem.

Anyway, the final fix that they sent to me was to download and install the new intermediate certificates from Verisign to solve the problem. Unfortunately, it did not solve the problm on any of my machines. I wish I had some idea of what was really causing the problem so that I could fix it and get rid of the 100's of messages that I am receiving.

It would seem to me that SonicWall is well aware of this issue, but they don't really seem all that concerned. I just purchased this years support for my SonicWall, and at this time, I am wondering why I bothered!

I will keep checking back here to see if anyone ever finds a solution to this issue.