ivan.perez 0 Posted September 19, 2019 Share Posted September 19, 2019 Interactive mode If you enter a new SSL protected site (with an unknown certificate), an action selection dialog is displayed. This mode allows you to create a list of SSL certificates / applications that will be excluded from scanning. Interactive Mode for SSL/TLS policy brings up the action dialog box. This in turn let's the user select an action, then a UAC prompt comes up but even after entering the admin credentials, the user kept getting the same exact dialog for the same program for the same certificate/exception. over and over... Because of this the user was unable to get into outlook, internet explorer, chrome, basically they could not do any work until I disabled the policy in the console. Could someone explain why the action was not sticking? Link to comment Share on other sites More sharing options...
itman 1,746 Posted September 19, 2019 Share Posted September 19, 2019 The normal and default node for SSL/TLS protocol filtering is Automatic mode. The only reason Interactive mode should be used if one wants to specifically create a web site certificate exception. For example, a web site where privacy considerations apply like a healthcare provider. Link to comment Share on other sites More sharing options...
ivan.perez 0 Posted September 19, 2019 Author Share Posted September 19, 2019 23 minutes ago, itman said: The normal and default node for SSL/TLS protocol filtering is Automatic mode. The only reason Interactive mode should be used if one wants to specifically create a web site certificate exception. For example, a web site where privacy considerations apply like a healthcare provider. But giving interactive mode the exception still would not let the program presenting it with the Cert open up, the same cert prompt would show. How can I troubleshoot this? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted September 20, 2019 Administrators Share Posted September 20, 2019 In case of self-signed untrusted certificates ESET doesn't ask for an action and leaves the decision to the application (browser / email client) as though it was not filtering SSL. It is not clear to me for what purpose you'd like to use interactive SSL filtering mode; interactive mode (be it in fw, HIPS, etc.) cannot be used in environment where settings are either password protected or configured via a policy or where the user doesn't have administrator permissions to save settings. Link to comment Share on other sites More sharing options...
ivan.perez 0 Posted September 20, 2019 Author Share Posted September 20, 2019 8 hours ago, Marcos said: In case of self-signed untrusted certificates ESET doesn't ask for an action and leaves the decision to the application (browser / email client) as though it was not filtering SSL. It is not clear to me for what purpose you'd like to use interactive SSL filtering mode; interactive mode (be it in fw, HIPS, etc.) cannot be used in environment where settings are either password protected or configured via a policy or where the user doesn't have administrator permissions to save settings. Marcos, so let's leave the self signed off the table then. I am simply testing features at this point and want to know why selecting "remember action for this certificate" and allow prompts brings up the same prompts constantly. I did punch in admin credentials after clicking allow. below is an example, I did double check and the cert and application (even PID) were exactly the same when the prompt returned. Link to comment Share on other sites More sharing options...
itman 1,746 Posted September 20, 2019 Share Posted September 20, 2019 58 minutes ago, ivan.perez said: below is an example, I did double check and the cert and application (even PID) were exactly the same when the prompt returned. I really don't know what you are trying to do. This web site maintains a list of malicous domains used by uBlock's corresponding Malware Domains extension. I assume you are using uBlock with FireFox. Eset doesn't like this domain for some reason. I really believe its a FP detection. Anyway how I handle it to avoid getting Eset alerts is shown in the below screen shot. This will give me a popup alert that the connection occurred. Also I set it to log the activity. I can then check in uBlock that an update occurred for the extension at the same time. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted September 20, 2019 Administrators Share Posted September 20, 2019 Maybe they've changed the certificate recently? I'm not getting a notice about untrusted certificate: Link to comment Share on other sites More sharing options...
itman 1,746 Posted September 20, 2019 Share Posted September 20, 2019 3 hours ago, Marcos said: Maybe they've changed the certificate recently? I'm not getting a notice about untrusted certificate: This is far from a new issue. Here's a posting from from 2018 in regards to the same domain: https://forum.eset.com/topic/14563-fixed-solution-certificate-pop-ups-an-application-on-this-computer-is-trying-to-communicate-over-a-channel-encrypted-with-an-untrusted-certificate/?do=findComment&comment=72949 . I became aware of it when I noticed that UBlock's Malware Domains extension database wasn't being updated. The workaround I posted above works for me. And again, I believe this in an Eset FP detection. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted September 20, 2019 Administrators Share Posted September 20, 2019 I'm unable to reproduce it with or without uBlock. Please enable advanced protocol filtering logging in the advanced setup -> tools -> diagnostics, reproduce the detection of untrusted certificate, then stop logging, collect logs with ESET Log Collector and upload the generated archive here. Link to comment Share on other sites More sharing options...
itman 1,746 Posted September 20, 2019 Share Posted September 20, 2019 (edited) 2 hours ago, Marcos said: I'm unable to reproduce it with or without uBlock. The issue had nothing to do with an untrusted certificate in my instance. Eset Web Access protection was blocking the domain under blacklist criteria. And it was not easy to find out as I recollect. Don't believe any alerts were being generated with default Web Access settings. Edited September 20, 2019 by itman Link to comment Share on other sites More sharing options...
ivan.perez 0 Posted September 24, 2019 Author Share Posted September 24, 2019 itman, I'm not sure what ublock is. Is that a add on? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted September 24, 2019 Administrators Share Posted September 24, 2019 Yes, it's an ad blocker available as a browser add-on. Would you please provide step-by-step instructions how you got the notification about untrusted certificate? Are you able to reproduce it with any browser? Even with all add-ons disabled or uninstalled? Link to comment Share on other sites More sharing options...
itman 1,746 Posted September 24, 2019 Share Posted September 24, 2019 (edited) 1 hour ago, ivan.perez said: itman, I'm not sure what ublock is. Is that a add on? The fact that you don't know what the extension is would be indicative of you haven't installed it in the browser you are using I assume. My point is that Eset will silently block sub-domains of mirror.cedia.org.ec. The Malware Domains list hosted there finally updated yesterday in FireFox. Here is the specific sub-domain I had to exclude from Eset's web scanning: Time;URL;Status;Application;User;IP address;SHA1 9/23/2019 6:20:47 PM;hxxps://mirror.cedia.org.ec/malwaredomains/justdomains;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX-XX\XXXXX;2800:68:0:bebe::3;C443C68B39CB7F9A524075015D74D1BCCA690DDF -EDIT- To make things even weirder, I can manually download the above site list w/o a beep from Eset. So the issue must lie in how uBlock accesses this domain. Edited September 24, 2019 by itman Link to comment Share on other sites More sharing options...
ivan.perez 0 Posted September 24, 2019 Author Share Posted September 24, 2019 1 hour ago, Marcos said: Yes, it's an ad blocker available as a browser add-on. Would you please provide step-by-step instructions how you got the notification about untrusted certificate? Are you able to reproduce it with any browser? Even with all add-ons disabled or uninstalled? sure, I enabled SSL filtering, enabled interactive mode. And then attempted opening slack, outlook and google chrome. all were asking for action to take (ignore, allow) to be clear, the firefox screenshot is just an example of what the prompt looked like and nothing else. I cannot replicate because leaving interactive mode enabled, and the allow action not working basically made my computer unusable. apologies but I cannot reanable until we figure it out. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted September 24, 2019 Administrators Share Posted September 24, 2019 I've tried opening the above link and was able to download files from there; obviously the SSL communication was being filtered by ESET and no warning about untrusted certificate popped up: Link to comment Share on other sites More sharing options...
itman 1,746 Posted September 24, 2019 Share Posted September 24, 2019 (edited) 3 hours ago, ivan.perez said: sure, I enabled SSL filtering, enabled interactive mode. And then attempted opening slack, outlook and google chrome. all were asking for action to take (ignore, allow) Hum ........ We might have a "can't see the forest because of the trees" situation here. If the Eset firewall is set to Interactive mode, you will receive an alert for every outbound connection being made for which no firewall rule for that connection exists. Specifically in regards to FireFox this means if you connect to three web sites for example, you have to create an allow rule for each IP address associated with each web site. Ditto for any other Internet facing app you run. On the other hand, you can just create an allow firewall rule for the app process alone; i.e. C:\Program Files\Mozilla Firefox\firefox.exe and allow all outbound communication from that app. If you want a bit more control, you can specify only remote ports 80, 443 be used. The above will prevent any further Eset firewall alerts in regards to that process as long as all conditions for that rule are met. For example if FireFox attempts to use a port other that 80 or 443 as given above, you will receive an alert for that activity. As far as using Interactive mode for SSL/TLS protocol scanning is concerned, that mode should never be enabled unless you wish to create a specific exception for a given web site. For normal usage, always keep SSL/TLS protocol scanning mode set to its default Automatic mode. Web site certificate exclusions should also be kept to a minimum. This feature was never intended to be used for en-mass web site certificate exclusions. Edited September 24, 2019 by itman Link to comment Share on other sites More sharing options...
ivan.perez 0 Posted September 24, 2019 Author Share Posted September 24, 2019 30 minutes ago, itman said: Hum ........ We might have a "can't see the forest because of the trees" situation here. If the Eset firewall is set to Interactive mode, you will receive an alert for every outbound connection being made for which no firewall rule for that connection exists. Specifically in regards to FireFox this means if you connect to three web sites for example, you have to create an allow rule for each IP address associated with each web site. Ditto for any other Internet facing app you run. On the other hand, you can just create an allow firewall rule for the app process alone; i.e. C:\Program Files\Mozilla Firefox\firefox.exe and allow all outbound communication from that app. If you want a bit more control, you can specify only remote ports 80, 443 be used. The above will prevent any further Eset firewall alerts in regards to that process as long as all conditions for that rule are met. For example if FireFox attempts to use a port other that 80 or 443 as given above, you will receive an alert for that activity. As far as using Interactive mode for SSL/TLS protocol scanning is concerned, that mode should never be enabled unless you wish to create a specific exception for a given web site. For normal usage, always keep SSL/TLS protocol scanning mode set to its default Automatic mode. Web site certificate exclusions should also be kept to a minimum. This feature was never intended to be used for en-mass web site certificate exclusions. itman thank you for that, but that is not the issue I'm describing. My issue is why when prompted, why isn't the allow button allow the connection? I understand I can just dump a ton of whitelist in and make exceptions. That was always clear, I just want to know why when I hit allow I am getting the same prompt. FYI, firefox is not what I need help with. the actual notification and prompt not working is the issue here. Link to comment Share on other sites More sharing options...
itman 1,746 Posted September 24, 2019 Share Posted September 24, 2019 (edited) I just discovered one major issue. SSL/TLS protocol scanning Policy mode doesn't work. Refer to the below screen shot. I added a certificate exception for mirror.cedia.org.ec . I then switched from Interactive mode to Policy mode. I then re-accessed the web site and Eset is still scanning the site. -EDIT- On the other hand, I know from testing the certificate exclusion does work in SSL/TLS protocol scanning Automatic mode. Edited September 24, 2019 by itman Link to comment Share on other sites More sharing options...
itman 1,746 Posted September 24, 2019 Share Posted September 24, 2019 (edited) 1 hour ago, ivan.perez said: I understand I can just dump a ton of whitelist in and make exceptions. That was always clear, I just want to know why when I hit allow I am getting the same prompt. Possibly due to the behavior I observed in FireFox with SSL/TLS protocol scanning Interactive mode active. I was getting the below screen shot alert "up the wazoo" prior to finally arriving at the desired web site after repeatedly hitting the scan button. FireFox implemented DNS over HTTPS in the latest release. I have been using the option for a while. Appears Eset's Interactive mode can't handle it. My advice again is only switch to SSL/TLS protocol scanning Interactive mode when creating the web site certificate exception. Then immediately switch back to Automatic mode since Policy mode is busted. Edited September 24, 2019 by itman Link to comment Share on other sites More sharing options...
itman 1,746 Posted September 25, 2019 Share Posted September 25, 2019 (edited) Since this thread is about Eset SSL/TLS protocol scanning modes, I think it is time to clarify exactly what these modes are supposed to do and what is the current status of them is in regards to later Eset releases. First per Eset online help, a definition of what the modes are supposed to do: SSL/TLS protocol filtering mode is available in following options: Filtering mode Description Automatic mode Default mode will only scan appropriate applications such as web browsers and email clients. You can override it by selecting applications for which their communications will be scanned. Interactive mode If you enter a new SSL protected site (with an unknown certificate), an action selection dialog is displayed. This mode allows you to create a list of SSL certificates / applications that will be excluded from scanning. Policy mode Select this option to scan all SSL protected communications except communications protected by certificates excluded from checking. If a new communication using an unknown, signed certificate is established, you will not be notified and the communication will automatically be filtered. When you access a server with an untrusted certificate that is marked as trusted (it is on the trusted certificates list), communication to the server is allowed and the content of the communication channel is filtered. It is fairly obvious that Policy mode is supposed to scan all app outbound Internet traffic and Automatic mode only select web facing apps such as browsers and e-mail clients. The problem is that is not what is happening. Automatic mode is scanning every app that attempts any outbound communication. This can be verified and assuming Automatic mode has been used for while, viewing the "List of SSL/TLS filtered applications. Mine currently shows every app and system process that has performed Internet outbound communication. Whereas I personally have no problems with all this outbound communication scanning given the current state of malware, it appears that Policy mode is no longer needed. Add to that, it appears that Policy mode doesn't work properly; at least as far as certificate exclusion goes. And I suspect more problems exist with Policy mode. It appears to me that possibly internally, Eset is processing Automatic mode as it were Policy mode and vice versa. Edited September 25, 2019 by itman Link to comment Share on other sites More sharing options...
Recommended Posts