TrendMicro certificates on every single device on my network

  • 1
  • Question
  • Updated 10 months ago
  • In Progress

I noticed that every single device on my network has Trend Micro certificates (Affirm Trust).
This includes all my computers, tablets and even Windows and Linux virtual machines.
They appear after I connect to the internet and do updates.

I do have Trend Micro installed on a single laptop but have since removed the mobile app from my phone and other devices a long time ago.

My phone still has these certs even though I erased all the partitions and flashed a custom recovery and OS.

When I create a new virtual machine (either Windows or Linux) these certificates appear after I run Windows update or apt-get upgrade.


What is odd is that I had to redo my sisters computer at my home and replaced her hard drive and reinstalled a fresh copy of Windows and your certs appeared when I installed all Windows security updates but when I was at my sisters house last night I checked her computer and there are no Affirm Trust certs installed any longer.

I'm assuming that these certs are installed on an individual basis depending upon the persons IP address and if they have (or had) an account with Trend Micro now or in the past?

I am just now learning about trust certificates, can you please explain why these certs are on devices that are not affiliated with your company?

Thank you for your time.

Photo of sloshnmosh1

sloshnmosh1

  • 450 Points 250 badge 2x thumb

Posted 11 months ago

  • 1
Photo of TM_JustineM

TM_JustineM, Employee

  • 3,774 Points 3k badge 2x thumb
Hello sloshnmosh1 and thank you for posting here in our community.

I understand how you feel about the situation. To further assist you can you send us a screenshot of that particular certificate so that we can have a better idea if this is really caused by the Trend Micro program?

We will wait for your response together with the screenshots.

Thank you and have a great day!

Trend Micro Home Users Community
(Edited)
Photo of sloshnmosh1

sloshnmosh1

  • 450 Points 250 badge 2x thumb

Hmmm, odd request for "screenshots"  How 'bout the serial number:  77:77:06:27:26:A9:B1:7C

That serial number and cert resides on all devices.

Photo of sloshnmosh1

sloshnmosh1

  • 450 Points 250 badge 2x thumb
Photo of sloshnmosh1

sloshnmosh1

  • 450 Points 250 badge 2x thumb
Photo of sloshnmosh1

sloshnmosh1

  • 450 Points 250 badge 2x thumb
I have the same cert on my phone that has been flashed.  I can take a screenshot of it as well but will have o extract it using ADB to publish it here.
Photo of sloshnmosh1

sloshnmosh1

  • 450 Points 250 badge 2x thumb

Affirmtrust lists that cert as just "Commercial" and lists a different cert and serial for TrendMicro..is Windows cert manager just giving the cert in question the "friendly name" of TrendMicro?

Confusing.

Photo of sloshnmosh1

sloshnmosh1

  • 450 Points 250 badge 2x thumb
Photo of sloshnmosh1

sloshnmosh1

  • 450 Points 250 badge 2x thumb
Hmmm, my phone that's been formatted/wiped contains all 4 of the root certificates on this site:http://www.trendmicro.com.hk/en-hk/enterprise/cloud-solutions/deep-security/ssl-certificates/index.h...
Photo of TM_JustineM

TM_JustineM, Employee

  • 3,774 Points 3k badge 2x thumb
Hi sloshnmosh1,

The reason why I asked is to check if this was from our program. Upon further checking the AffirmTrust Certificate that you saw is for your devices to use as a guide in checking if the website is legitimate or not. Since you saw the serial number: 77:77:06:27:26:A9:B1:7C and it is also visible on the website that you provided it means that our website is not fake and it can not be easily hacked by people. This certificate on your computer is also being used to check the validity of the websites that you are visiting if it follows the same level of Secure Socket Layer.

For us to really explain all the details you may contact us on this link

You can visit these websites: https://www.affirmtrust.com/faq/ and https://www.affirmtrust.com/about-us/

Hope this helps.

Thank you and have a great day!

Trend Micro Home Users Community
Photo of sloshnmosh1

sloshnmosh1

  • 450 Points 250 badge 2x thumb

Huh? Now I'm really confused. I know that SSL/TSL certs are to verify websites, emails, timestamping etc. (they can also be used for nefarious purposes)  but why are they on all my devices and were also on my sisters laptop until sometime after she had it at her house and now they no longer exist?

Obviously it would make sense for the device that has TrendMicro installed on it or if it was installed on a device that I logged into your website with but I just checked a Chromium browser on a VM that I never used to view the web with let alone your website and it has all four root certificates as well.

From reading Affirmtrusts website it is clear that TrendMicro was a signing authority much like Go Daddy and Lets Encrypt and this would make sense if these Affirmtrust certificates were on everybodys devices.

So I guess my main question is that because I have/had used TrendMicro now or in the past are these certificates now a part of MY digital fingerprint forever and will populate any device I own now and in the future?


Photo of iudex gundyr

iudex gundyr

  • 424 Points 250 badge 2x thumb
Here's what I have for this topic.

I think you may have them installed when you visited a website or performed other tasks utilizing Trend Micro certificate.

Here's what I did to validate my statement:

1. Have a clean Win10 VM then open certmgr.msc
2. In certmgr.msc check Trusted Root Certfication Authorities > Certificate
3. Check if there is a AffirmTrust or Trend Micro Certficates present - there should be none
4. Open Chrome then go to a website with TrendMicro Certificate - https://sso1.trendmicro.com/signin/module.php/myaccount/loginuserpass.php?AuthState=_c10bef91ea06073...
note: You should see a Secure Icon on the browser
5. Go back to your certmgr then hit F5 (Refresh) and AffirmTrust/TrendMicro should be there 

Additionally, In terms of validity of the certs. I see Trendmicro listed by Microsoft as trusted certificate and I've seen scenarios where they revoke certificate if they see it being insecure. So this shouldn't give us worries in terms of our computer's security https://social.technet.microsoft.com/wiki/contents/articles/50893.microsoft-trusted-root-certificate...

note: you can check the thumbprint of the certificate of what you have on your machine with here.

I'm no expert on this, but I hope this helps.
Photo of sloshnmosh1

sloshnmosh1

  • 450 Points 250 badge 2x thumb

Thanks for your input. I did not say that I did not trust the certificates, in fact they are of high quality. I did some rudimentary tests/verifications using Sysinternals "Sigcheck" tool and others as well as testing my web browsers over badssl: https://badssl.com/ 

My questions are more about if certs are assigned to a specific individual or IP address.

I have other certs that I have actual concerns with that appear on all my devices that I have to remove all their permissions such as "Startcom".

I am not accusing TrendMicro of anything nor do I distrust their certs, I only brought it up here because I am a member of this forum and knew I could get answers regarding certificates much faster here on this forum than anywhere else.

You may be correct in saying that I may have connected to TrendMicro's website with the virtual machine(s) to have the certs populate but I doubt it.

I will create a new, fresh VM and update it without browsing any sites and see if these certificates and the others populate and post my results.

Photo of sloshnmosh1

sloshnmosh1

  • 450 Points 250 badge 2x thumb
PS: Thank you for that link of Microsoft trusted certificates, I was looking for something like this last night. https://social.technet.microsoft.com/wiki/contents/articles/50893.microsoft-trusted-root-certificate...
Photo of sloshnmosh1

sloshnmosh1

  • 450 Points 250 badge 2x thumb
OK, so I created a new random virtual machine (Linux Mint 18.1) and let it install to virtual hard disk.  The VM was connected to the internet through NAT while it installed,
After all the language packs etc were installed and it rebooted from live disk to the working operating system on hard disk I immediately went to /etc/ca-certificates.conf and all the Affirmtrust certs were already popultated.
# This file lists certificates that you wish to use or to ignore to be
# installed in /etc/ssl/certs.
# update-ca-certificates(8) will update /etc/ssl/certs by reading this file.
#
# This is autogenerated by dpkg-reconfigure ca-certificates.
# Certificates should be installed under /usr/share/ca-certificates
# and files with extension '.crt' is recognized as available certs.
#
# line begins with # is comment.
# line begins with ! is certificate filename to be deselected.
#
mozilla/AffirmTrust_Commercial.crt
mozilla/AffirmTrust_Networking.crt
mozilla/AffirmTrust_Premium.crt
mozilla/AffirmTrust_Premium_ECC.crt
------------------
(I edited out all the other certs for this post)
I never browsed the internet nor did I run apt-get upgrade.
Also, I might be mistaken but I could not find any of the Affirmtrust certificates in that Microsoft list the other user posted in this thread.
Here is a screenshot taken of the certs in the default Firefox browser of Linux Mint:
Photo of TM_Jabi

TM_Jabi

  • 7,242 Points 5k badge 2x thumb
Hello sloshnmosh1,

Apologies for the delay in our responses. 

We are currently communicating with our developers to get their insight about this concern.

For now, can you tell us, are you using a network protection program/product of Trend Micro like the NAS Security Antivirus Software for TeraStation by Buffalo Technology? 

We will keep you posted about the information that we can get from our developers immediately. 

Trend Micro Home Users Community
Photo of sloshnmosh1

sloshnmosh1

  • 450 Points 250 badge 2x thumb
iudex gundyr are you saying that when you yourself created a fresh VM none of the Affirmtrust certs appeared until you connected to the TrendMicro site?
If so then I am REALLY confused!
Photo of iudex gundyr

iudex gundyr

  • 424 Points 250 badge 2x thumb
Microsoft list the other user posted in this thread.My questions are more about if certs are assigned to a specific individual or IP address.
> From what I know and based on my testing on win10 its doesn't. As mentioned you either visited a website, used a service/task which AffirmTrust/TrendMicro certificate then the certificates got installed. That's the nature of how certificates are installed.

Certificates being pre-installed is also a posibility since these SSL services can be bought. This could depend on the platform but on my Win10, it was not.

Also, I might be mistaken but I could not find any of the Affirmtrust certificates in that Microsoft list the other user posted in this thread.
> You can check the thumbprint of the certificate and check on MS certificate list, on my Win10, the AffirmTrust/TrendMicro had a thumbprint of f9b5b632455f... and it was there on the list. If you were refering to the certificates installed on your Linux, it might be different since we are looking at a list from MS.

are you saying that when you yourself created a fresh VM none of the Affirmtrust certs appeared until you connected to the TrendMicro site?
> Yes
Photo of Jade_j610

Jade_j610

  • 60 Points
Have you tried reformatting the VMs without even connecting it to network? We could check on that perspective to see if these certificates are there after a fresh install.
(Edited)

This conversation is no longer open for comments or replies.