Oh, it's probably the signature, then.

mIRC 7.22 (and possibly some other recent versions) is a cryptographically signed executable. This means if you right click mirc.exe in explorer and go to Digital Signatures, you will see the details of the digital signature. The important part to note is that all signatures work via SSL certificates provided by verisign, so this would be where Windows, not mIRC, would be updating the certificate lists in the OS. Calling $file($mircexe).sig probably wakes up this little bit of signature checking code that does the lookup.

You can confirm this hypothesis: try restarting mIRC and first testing that echoing that same line again pops up the connection in your firewall. Then, restart mIRC one last time and type in the same line minus the $file($mircexe).sig check. If it does not pop up, there's your culprit. Note that mIRC occasionally checks the validity of this signature at runtime, which is why it might seem random to you and might not have happened before. It would also explain how this check would activate even in the absence of SSL based IRC connections.

FYI, Microsoft explains what digital signatures are here: http://windows.microsoft.com/en-US/windows-vista/What-is-a-digital-signature

Either way, this is something you really should not be worrying about. Accessing the CRL is valid regardless of where the connection is coming from. I'd say you should open your firewall to allow outgoing connecting to that host, as other parts of your system might need it anyway.