Jump to content

Policy issue with interactive mode in SSL TLS settings


ivan.perez

Recommended Posts

Interactive mode

If you enter a new SSL protected site (with an unknown certificate), an action selection dialog is displayed. This mode allows you to create a list of SSL certificates / applications that will be excluded from scanning.

 

Interactive Mode for SSL/TLS policy brings up the action dialog box.  This in turn let's the user select an action, then a UAC prompt comes up but even after entering the admin credentials, the user kept getting the same exact dialog for the same program for the same certificate/exception. over and over...

Because of this the user was unable to get into outlook, internet explorer, chrome, basically they could not do any work until I disabled the policy in the console.

Could someone explain why the action was not sticking?

Link to comment
Share on other sites

The normal and default node for SSL/TLS protocol filtering is Automatic mode. The only reason Interactive mode should be used if one wants to specifically create a web site certificate exception. For example, a web site where privacy considerations apply like a healthcare provider.

Link to comment
Share on other sites

23 minutes ago, itman said:

The normal and default node for SSL/TLS protocol filtering is Automatic mode. The only reason Interactive mode should be used if one wants to specifically create a web site certificate exception. For example, a web site where privacy considerations apply like a healthcare provider.

But giving interactive mode the exception still would not let the program presenting it with the Cert open up,  the same cert prompt would show.  How can I troubleshoot this?

Link to comment
Share on other sites

  • Administrators

In case of self-signed untrusted certificates ESET doesn't ask for an action and leaves the decision to the application (browser / email client) as though it was not filtering SSL.

It is not clear to me for what purpose you'd like to use interactive SSL filtering mode; interactive mode (be it in fw, HIPS, etc.) cannot be used in environment where settings are either password protected or configured via a policy or where the user doesn't have administrator permissions to save settings.

Link to comment
Share on other sites

8 hours ago, Marcos said:

In case of self-signed untrusted certificates ESET doesn't ask for an action and leaves the decision to the application (browser / email client) as though it was not filtering SSL.

It is not clear to me for what purpose you'd like to use interactive SSL filtering mode; interactive mode (be it in fw, HIPS, etc.) cannot be used in environment where settings are either password protected or configured via a policy or where the user doesn't have administrator permissions to save settings.

Marcos, so let's leave the self signed off the table then.

I am simply testing features at this point and want to know why selecting "remember action for this certificate" and allow prompts brings up the same prompts constantly.  I did punch in admin credentials after clicking allow.

below is an example,  I did double check and the cert and application (even PID) were exactly the same when the prompt returned.


Image result for eset certificate warning

Link to comment
Share on other sites

58 minutes ago, ivan.perez said:

below is an example,  I did double check and the cert and application (even PID) were exactly the same when the prompt returned.

I really don't know what you are trying to do. This web site maintains a list of malicous domains used by uBlock's corresponding Malware Domains extension. I assume you are using uBlock with FireFox.

Eset doesn't like this domain for some reason. I really believe its a FP detection. Anyway how I handle it to avoid getting Eset alerts is shown in the below screen shot. This will give me a popup alert that the connection occurred. Also I set it to log the activity. I can then check in uBlock that an update occurred for the extension at the same time.

Eset_uBlock.thumb.png.99e2baedc4325cb2dfcedc053d3200cd.png

 

Link to comment
Share on other sites

3 hours ago, Marcos said:

Maybe they've changed the certificate recently? I'm not getting a notice about untrusted certificate:

This is far from a new issue. Here's a posting from from 2018 in regards to the same domain: https://forum.eset.com/topic/14563-fixed-solution-certificate-pop-ups-an-application-on-this-computer-is-trying-to-communicate-over-a-channel-encrypted-with-an-untrusted-certificate/?do=findComment&comment=72949 .

I became aware of it when I noticed that UBlock's Malware Domains extension database wasn't being updated. The workaround I posted above works for me. And again, I believe this in an Eset FP detection.

Link to comment
Share on other sites

  • Administrators

I'm unable to reproduce it with or without uBlock. Please enable advanced protocol filtering logging in the advanced setup -> tools -> diagnostics, reproduce the detection of untrusted certificate, then stop logging, collect logs with ESET Log Collector and upload the generated archive here.

Link to comment
Share on other sites

2 hours ago, Marcos said:

I'm unable to reproduce it with or without uBlock.

The issue had nothing to do with an untrusted certificate in my instance. Eset Web Access protection was blocking the domain under blacklist criteria. And it was not easy to find out as I recollect. Don't believe any alerts were being generated with default Web Access settings.

 

Edited by itman
Link to comment
Share on other sites

  • Administrators

Yes, it's an ad blocker available as a browser add-on.

Would you please provide step-by-step instructions how you got the notification about untrusted certificate?

Are you able to reproduce it with any browser? Even with all add-ons disabled or uninstalled?

Link to comment
Share on other sites

1 hour ago, ivan.perez said:

itman,  I'm not sure what ublock is.  Is that a add on?

The fact that you don't know what the extension is would be indicative of you haven't installed it in the browser you are using I assume.

My point is that Eset will silently block sub-domains of mirror.cedia.org.ec. The Malware Domains list hosted there finally updated yesterday in FireFox. Here is the specific sub-domain I had to exclude from Eset's web scanning:

Time;URL;Status;Application;User;IP address;SHA1
9/23/2019 6:20:47 PM;hxxps://mirror.cedia.org.ec/malwaredomains/justdomains;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX-XX\XXXXX;2800:68:0:bebe::3;C443C68B39CB7F9A524075015D74D1BCCA690DDF

-EDIT- To make things even weirder, I can manually download the above site list w/o a beep from Eset. So the issue must lie in how uBlock accesses this domain.

Edited by itman
Link to comment
Share on other sites

1 hour ago, Marcos said:

Yes, it's an ad blocker available as a browser add-on.

Would you please provide step-by-step instructions how you got the notification about untrusted certificate?

Are you able to reproduce it with any browser? Even with all add-ons disabled or uninstalled?

sure,  I enabled SSL filtering, enabled interactive mode.  And then attempted opening slack, outlook and google chrome.  all were asking for action to take (ignore, allow)

to be clear, the firefox screenshot is just an example of what the prompt looked like and nothing else.  I cannot replicate because leaving interactive mode enabled, and the allow action not working basically made my computer unusable.  apologies but I cannot reanable until we figure it out.

Link to comment
Share on other sites

  • Administrators

I've tried opening the above link and was able to download files from there; obviously the SSL communication was being filtered by ESET and no warning about untrusted certificate popped up:

image.png

Link to comment
Share on other sites

3 hours ago, ivan.perez said:

sure,  I enabled SSL filtering, enabled interactive mode.  And then attempted opening slack, outlook and google chrome.  all were asking for action to take (ignore, allow)

Hum ........ We might have a "can't see the forest because of the trees" situation here.

If the Eset firewall is set to Interactive mode, you will receive an alert for every outbound connection being made for which no  firewall rule for that connection exists. Specifically in regards to FireFox this means if you connect to three web sites for example, you have to create an allow rule for each IP address associated with each web site. Ditto for any other Internet facing app you run.

On the other hand, you can just create an allow firewall rule for the app process alone; i.e. C:\Program Files\Mozilla Firefox\firefox.exe and allow all outbound communication from that app. If you want a bit more control, you can specify only remote ports 80, 443 be used.

The above will prevent any further Eset firewall alerts in regards to that process as long as all conditions for that rule are met. For example if FireFox attempts to use a port other that 80 or 443 as given above, you will receive an alert for that activity.

As far as using Interactive mode for SSL/TLS protocol scanning is concerned, that mode should never be enabled unless you wish to create a specific exception for a given web site. For normal usage, always keep  SSL/TLS protocol scanning mode set to its default Automatic mode. Web site certificate exclusions should also be kept to a minimum. This feature was never intended to be used for en-mass web site certificate exclusions.

Edited by itman
Link to comment
Share on other sites

30 minutes ago, itman said:

Hum ........ We might have a "can't see the forest because of the trees" situation here.

If the Eset firewall is set to Interactive mode, you will receive an alert for every outbound connection being made for which no  firewall rule for that connection exists. Specifically in regards to FireFox this means if you connect to three web sites for example, you have to create an allow rule for each IP address associated with each web site. Ditto for any other Internet facing app you run.

On the other hand, you can just create an allow firewall rule for the app process alone; i.e. C:\Program Files\Mozilla Firefox\firefox.exe and allow all outbound communication from that app. If you want a bit more control, you can specify only remote ports 80, 443 be used.

The above will prevent any further Eset firewall alerts in regards to that process as long as all conditions for that rule are met. For example if FireFox attempts to use a port other that 80 or 443 as given above, you will receive an alert for that activity.

As far as using Interactive mode for SSL/TLS protocol scanning is concerned, that mode should never be enabled unless you wish to create a specific exception for a given web site. For normal usage, always keep  SSL/TLS protocol scanning mode set to its default Automatic mode. Web site certificate exclusions should also be kept to a minimum. This feature was never intended to be used for en-mass web site certificate exclusions.

itman thank you for that,  but that is not the issue I'm describing.  My issue is why when prompted, why isn't the allow button allow the connection?

I understand I can just dump a ton of whitelist in and make exceptions.  That was always clear, I just want to know why when I hit allow I am getting the same prompt.

FYI, firefox is not what I need help with.  the actual notification and prompt not working is the issue here.

Link to comment
Share on other sites

I just discovered one major issue.

SSL/TLS protocol scanning Policy mode doesn't work. Refer to the below screen shot. I added a certificate exception for mirror.cedia.org.ec . I then switched from Interactive mode to Policy mode. I then re-accessed the web site and Eset is still scanning the site.

-EDIT- On the other hand, I know from testing the certificate exclusion does work in SSL/TLS protocol scanning Automatic mode.

Eset_Policy.thumb.png.f1903d30f4a6a8bdb0ff32d4864d3619.png

 

Edited by itman
Link to comment
Share on other sites

1 hour ago, ivan.perez said:

I understand I can just dump a ton of whitelist in and make exceptions.  That was always clear, I just want to know why when I hit allow I am getting the same prompt.

Possibly due to the behavior I observed in FireFox with SSL/TLS protocol scanning Interactive mode active. I was getting the below screen shot alert "up the wazoo" prior to finally arriving at the desired web site after repeatedly hitting the scan button. FireFox implemented DNS over HTTPS in the latest release. I have been using the option for a while. Appears Eset's Interactive mode can't handle it.

Eset_Interactive.png.5ff330f62f0d3b8816a2acd7caf542ab.png

My advice again is only switch to SSL/TLS protocol scanning Interactive mode when creating the web site certificate exception. Then immediately switch back to Automatic mode since Policy mode is busted.

 

Edited by itman
Link to comment
Share on other sites

Since this thread is about Eset SSL/TLS protocol scanning modes, I think it is time to clarify exactly what these modes are  supposed to do and what is the current status of them is in regards to later Eset releases.

First per Eset online help, a definition of what the modes are supposed to do:

SSL/TLS protocol filtering mode is available in following options:

Filtering mode

Description

Automatic mode

Default mode will only scan appropriate applications such as web browsers and email clients. You can override it by selecting applications for which their communications will be scanned.

Interactive mode

If you enter a new SSL protected site (with an unknown certificate), an action selection dialog is displayed. This mode allows you to create a list of SSL certificates / applications that will be excluded from scanning.

Policy mode

Select this option to scan all SSL protected communications except communications protected by certificates excluded from checking. If a new communication using an unknown, signed certificate is established, you will not be notified and the communication will automatically be filtered. When you access a server with an untrusted certificate that is marked as trusted (it is on the trusted certificates list), communication to the server is allowed and the content of the communication channel is filtered.

It is fairly obvious that Policy mode is supposed to scan all app outbound Internet traffic and Automatic mode only select web facing apps such as browsers and e-mail clients. The problem is that is not what is happening.

Automatic mode is scanning every app that attempts any outbound communication. This can be verified and assuming Automatic mode has been used for while, viewing the "List of SSL/TLS filtered applications. Mine currently shows every app and system process that has performed Internet outbound communication. Whereas I personally have no problems with all this outbound communication scanning given the current state of malware, it appears that Policy mode is no longer needed. Add to that, it appears that Policy mode doesn't work properly; at least as far as certificate exclusion goes. And I suspect more problems exist with Policy mode. It appears to me that possibly internally, Eset is processing Automatic mode as it were Policy mode and vice versa.

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...