none
Security certificate revoked popup RRS feed

  • Question

  • I have a customer site with about a dozen PCs and on the same day they all started getting a popup when opening IE. The popup is labeled "Security Alert" and says "The security certificate for this site has been revoked. This site should not be trusted."

    I've scanned with Malwarebytes and with AVG business AV and nothing is found except for a few PUP registry entries. Sometimes after scanning the popups will stop for a while but they always come back.

    No popups are seen when using Firefox or Chrome and it doesn't matter who is logged into what PC, the result is always the same. IE has been reset more than once. CCleaner has been run more than once to clear out temp files and cache.

    The only common thing I can think of is that I believe the day before this started I deleted the Symantec Endpoint Protection Manager software from their domain controller. They had been migrated off of SEP for about a year and have used 2 different managed AV products since then. I have found no trace of SEP on a PC which is what I expect. It was just the manager software on the server (which has been disabled since SEP use was discontinued) which was left.

    Why uninstalling that would cause these security popups in IE on the PCs makes no sense and I have to believe it's just a coincidence.

    The only resolution I've found by searching is to disabled checking for certificate revocation in IE. But I'm not going to do that as I don't think that's a good practice and that setting has always been enabled on these PCs so I'm sure that is not the cause of these popups suddenly appearing.

    Does anyone have any idea what might cause this on a domain-wide scale?


    Jonathan

    Thursday, March 31, 2016 9:32 PM

All replies

  • Hi SmallBizAdmin,

    When you receive a certificate error, it means that although the certificate appears to be valid, the url matches that specified in the certificate and the certificate expiry date is valid, the certificate is not expired. But there was no valid CRL available to check the revocation status.

    Please check the link below about Dealing with Revoked Security Certificates

    http://www.brighthub.com/internet/security-privacy/articles/82291.aspx

    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Also, if this certificate seems belong to removed internet security application, just remove it.

    Check event log to know the detailed information about certificate, and we may use certutil to uninstall.

    Hope it will be helpful to you.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, April 1, 2016 10:31 AM
    Moderator
  • Hi SmallBizAdmin,

    When you receive a certificate error, it means that although the certificate appears to be valid, the url matches that specified in the certificate and the certificate expiry date is valid, the certificate is not expired. But there was no valid CRL available to check the revocation status.

    Please check the link below about Dealing with Revoked Security Certificates

    http://www.brighthub.com/internet/security-privacy/articles/82291.aspx

    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Also, if this certificate seems belong to removed internet security application, just remove it.

    Check event log to know the detailed information about certificate, and we may use certutil to uninstall.

    Hope it will be helpful to you.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thanks for the information. That link talks about secure websites which is not the case here. These people get these popups even when browsing to www.msn.com which many have as their home page. So when they open IE they immediately get the popup. They also get it at other non-secure websites. I have visited these websites on my PC and I don't get a popup so I know it really has nothing to do with the website itself but something on the PCs at the customer's location.

    I'm not sure I understand your statement of "Also, if this certificate seems belong to removed internet security application, just remove it. " Are you referring to Symantec Endpoint Manager? I'll look to see if there's a certificate for SEP on the PCs. And I'll look in those 3 event logs.


    Jonathan

    Friday, April 1, 2016 1:46 PM
  • Did you ever find a solution? I am having exact same problem in my environment but only affecting some users and only on some workstations. Same popup on non ssl pages. 
    Friday, October 14, 2016 5:45 PM
  • Did you ever find a solution? I am having exact same problem in my environment but only affecting some users and only on some workstations. Same popup on non ssl pages. 

    Never did find a solution.


    Jonathan

    Friday, October 14, 2016 7:07 PM
  • Thanks for your reply.  I can't find any other post other than yours that details the same error on specific non SSL pages. 
    Friday, October 14, 2016 7:13 PM
  • Global Sign Certificates?

    See this one:
    https://www.globalsign.com/en/status/

    October 2016

    Certificate Issues

    13th October 11:00am- present BST
    13th October 06:00am- present EST

    We are currently experiencing a known issue which is causing certificate revocation/error messages to be displayed within some of our certificates. We ask all customers to please read our communications on this and contact your sales rep for alternative solutions.

    Friday, October 14, 2016 10:56 PM
  • Monday Morning and the handful of affected machines are no longer getting this popup. Not sure why but glad it has gone away. 

    • Edited by iPaddy Monday, October 17, 2016 7:59 PM
    Friday, October 14, 2016 11:09 PM