Diagnosing ESET Untrusted Certificate on specific Site and Computer?

[high_tide1 1]

Hello. I recently had a repeat of a problem I first posted on these forums a little under two months ago, where ESET blocked an untrusted certificate on a specific site and machine. Now, I know why the certificate is untrusted (due to having expires around the beginning of August), but I'm still unsure why the problem only occurs on a laptop I own, and no other machine.

     I've tested the issue across multiple different machines, but despite all having the same browser and ESET settings, only my laptop has the untrusted certificate. In addition, antivirus and aware scans come up with nothing, and the warning in question appears only on a single site, so the problem doesn't appear to be caused by malware or a browser hijacker. The issue is the same as last time, with the certificate being for sync#madnet#ru by madnetex#com, but it doesn't make sense for me why, with the problem being the sane, it would just dissappear for a month and show up again. If anyone could help me with this, I would be grateful, as every time the warning shows I get a little more nervous. Thank you.

[cyberhash 188]

It's really down to the site's owners to sort the certificates. As you mentioned the screenshot below shows the certificate for the main url expired over 3 months ago ( 21st July 2017) , and the reason why you are being alerted to it. It's part of the checks that your ESET product is doing to ensure that the site is genuine.

Are you sure that SSL/TLS settings are enabled(and on default settings) on your other computers that don't show the warning ?? 

 

[Marcos 5,070]

If you are not warned about expired certificate by ESET (e.g. because SSL/TLS filtering is disabled), you should be warned by the browser.

[itman 1,659]

16 hours ago, high_tide1 said:

only my laptop has the untrusted certificate.

Check your laptop browser for an expired Trusted Publisher cert. related to :

Quote

certificate being for sync#madnet#ru by madnetex#com

If one exists, move it to Untrusted Publishers CA store. Ditto for any like Intermediate Certs. since those are download by the web site server.

Edited November 7, 2017 by itman

[high_tide1 1]

Itman, could you possibly clarify on that? I'm a little confused. Why would I need to go through my laptop's stored certificates and do cleaning? Isn't the issue here that the certificate presented isn't valid, and not that a local one is expired? Also, aren't some expired certificates needed for backwards compatibility?

[itman 1,659]

21 hours ago, high_tide1 said:

Itman, could you possibly clarify on that? I'm a little confused.

Before I comment further, do this.

Since the laptop is the device noting an untrusted cert., temporarily disable Eset's SSL protocol scanning feature. Then go the web site with the untrusted cert.? Does your browser alert you about the untrusted cert.? Re- enable Eset's SSL protocol scanning.

Post back on your findings.

[high_tide1 1]

Just to make sure, but doing this won't present a risk to my computer, correct? If Chrome doesnt catch the untrusted certificate, could something happen to my laptop?

[itman 1,659]

I tested the web site using IE11. Overriding Eset's cert. warnings, IE itself through an alert on the cert..

At this point, the only thing I can say is there has to be something amiss with the way your other devices are configured. I assume the laptop is using a Wi-Fi connection. Are the other devices all configured to use an Ethernet connection?

[high_tide1 1]

I followed your advice on the previous post. After disabling SSL filtering, Chrome displays no warning. Viewing the develop console, I can see a couple blocked connections, but none of them are what I reported earlier. After re-enabling SSL filtering, I get no warning, so I don't know what is happening. My lapop is configured to use an Ethernet connection, while my other devices use WiFi.

[high_tide1 1]

What do you mean by "Overriding Eset's cert. warnings, IE itself through an alert on the cert.." though? I can't make sense of that sentence.

[itman 1,659]

12 minutes ago, high_tide1 said:

My lapop is configured to use an Ethernet connection, while my other devices use WiFi.

Now that is interesting. At this point, it appears your router's Wi-Fi connection is hacked assuming your other devices are using the router's Wi-Fi connection and not a public one?

[itman 1,659]

1 minute ago, high_tide1 said:

What do you mean by "Overriding Eset's cert. warnings, IE itself through an alert on the cert.." though? I can't make sense of that sentence.

I allowed the web site connection when Eset alerted about a cert. issue.

[high_tide1 1]

Well, I'm definitely hoping that's not the problem. My desktop is in a completely different state (I'm at school currently), so I don't think both WiFi connections would be hacked. The issue is also that it only happens some times, as there was a month or so between when it recently occurred and when it last occurred.

[high_tide1 1]

Also, if the router was hacked, wouldn't this occur on every website, and not only one in particular?

[itman 1,659]

Now I am getting confused. Let's stick with the devices you are currently using. You are using the laptop at school. That is connected to the school's network via Ethernet. There is no problem with the laptop as far as this cert. issue. Is all this correct as I stated?

[high_tide1 1]

With the laptop, it was previously reporting on an expired certificate whenever I visited reddit or any subdomains. After disabling the SSL filtering and visiting the site again, I get no warning from ESET or the browser. After re-enabling ESET, I get no warning, which is weird as it was previously warning me.

[itman 1,659]

22 minutes ago, high_tide1 said:

With the laptop, it was previously reporting on an expired certificate whenever I visited reddit or any subdomains. After disabling the SSL filtering and visiting the site again, I get no warning from ESET or the browser. After re-enabling ESET, I get no warning, which is weird as it was previously warning me.

No really weird. Website certs. expire, etc.. When the cert. is renewed or the issue resolved, no more alerts.

Also Eset's SSL protocol scanning is not used for every web site. Eset uses an internal whitelist and sites on that list are not scanned. I just checked reddit.com. It is now whitelisted; might not have been so in the past. You can check this whitelist status by clicking on the browser "lock" symbol. If the cert. shown is not Eset's own root CA cert., then a root CA authority cert. such as Digicert will be shown.

I will note this. There is something weird going on with reddit.com. I went to a few minutes ago and Eset's root CA cert. was not shown; Digicert's was. I just went to the site again and Eset's root CA cert. was shown?

Ok. Went to reddit.com three times and Digicert cert. was shown each time. Was probably a browser "hiccup."

Edited November 9, 2017 by itman

[itman 1,659]

Upgraded to ver. 11.0.149 today. Went to reddit.com multiple times later and the DigiCert root CA cert was shown each time. So it is also possible there was and issue with 11.0.144 in regards to SSL protocol scanning.

[Dontlikeit 0]

Even you've disable SSL/TLS on ESET, the warning is still appear..

There's a way to disable this completely.

1. through your browser, if you using firefox, go to about:config > change "security.enterprise_roots.enabled" value to : true (default : false)

2. Delete your ESET Root Certificate: [windows+r] or run >  type mmc.exe > on [File tab] > click [add/remove snap in] > new window will open > find [certificate] > then click [add > ] new window will open, click [finish] > then will return to previous window, click [ok]

Under certificate - current user, you will find a couple folder, such as "Trusted root certification authorities" and "Third-party root certification authorities" you will find a "certificates" folder inside both of them, click it. if you see "ESET" just delete it.

 

Before you restart, try to browsing like normally, if the warning is still appear, then restart your PC, as my recall it doesn't need to restart your PC.

 

[itman 1,659]

2 hours ago, Dontlikeit said:

Under certificate - current user, you will find a couple folder, such as "Trusted root certification authorities" and "Third-party root certification authorities" you will find a "certificates" folder inside both of them, click it. if you see "ESET" just delete it.

I have never seen Eset's root CA cert. stored in Windows third party root CA store. This might have been your issue. Possible either Chrome or Firefox placed it there. I use neither so can't personally verify if this is the case.

2 hours ago, Dontlikeit said:

1. through your browser, if you using firefox, go to about:config > change "security.enterprise_roots.enabled" value to : true (default : false)

Have no idea what this does. Appears this enables checking of the Windows Enterprise Trust CA store for corp. created certs.. IE doesn't even references that CA store. If IE used it, it would only apply to the Intranet zone.

[Dontlikeit 0]

1 hour ago, itman said:

I have never seen Eset's root CA cert. stored in Windows third party root CA store. This might have been your issue. Possible either Chrome or Firefox placed it there. I use neither so can't personally verify if this is the case.

Just to make sure he didn't miss anything. I forgot which one the exact folder..