False Positive Flag of Malicious Sectigo operated critical services for PKI

There have been reports of some Sectigo URLs

  • crl.sectigo.com
  • crt.sectigo.com
  • ocsp.sectigo.com
  • or the same hostnames at trust-provider.com)

being flagged by anti-malware and anti-virus providers as 'malicious' or 'dangerous' URLs. They are not, and these reports are false positives.

The three URLs above are for three Sectigo-operated critical services for PKI. CRL and OCSP are revocation protocols that are used to allow clients and browsers to contact us and determine if a certificate is valid or not. CRT is a simple host of certificate files that allow clients to complete certificate chains when verifying certificates.

None of these services are in any way dangerous or malicious.

However, the reports are due to a specific type of certificate offered by CAs such as Sectigo. Code-signing certificates allow software to be digitally signed to prove the creator of the software and provide integrity of the software package. The certificates that Sectigo provide for this purpose contain URLs to the above services so that certificates can be validated and their status checked.

Unfortunately, sometimes the code-signing certificates which are legitimately issued, are stolen or used to sign malicious software. This is detected by AV and anti-malware companies as it should be - but the URLs from within the certificate used to sign the software is 'flagged' incorrectly as being malicious and part of the malware. This is incorrect.

We work with the providers of malware and AV services to remedy these false-positives, but that process can take some time even once we are made aware.

For any additional questions or concerns, please contact Sectigo Technical Support for more information.