ESET NOD32 is blocking access to Adorama web site with ERR_HTTP2_PROTOCOL_ERROR

[AndreyT 0]

All Chromium-based browsers for Windows 10, as well as Internet Explorer are prevented from accessing 'adorama.com' web site. Chrome, Opera and Edge report ERR_HTTP2_PROTOCOL_ERROR. Meanwhile Firefox is not affected - everything works fine in Firefox. Enabling VPN in Opera also seems to solve the issue for Opera.

Pausing protection in ESET NOT32 fixes the problems for all browsers: access to 'adorama.com' is restored. Re-enabling ESET NOT32 blocks access to 'adorama.com' again.

I can't test Windows 7 now, so the above applies to Windows 10 Pro x64 (1909), ESET NOD32 13.0.22.0.

Edited December 13, 2019 by AndreyT

[AndreyT 0]

Just asked NOD32 to check for updates, and it updated itself to 13.0.24.0. However, it does not solve the above problem.

[itman 1,627]

This thread might shed some light on what is going on: https://stackoverflow.com/questions/58215104/whats-the-neterr-http2-protocol-error-about .

Appears this will occur if there is an issue with JavaScript in one or more web pages that site is using. Also appears Chrome is most susceptible to this activity. My best guess at this point is since Eset performs independent web site cert. validations due to its SSL/TLS protocol scanning, it is picking up something amiss and throwing the error.

[itman 1,627]

Also this web site only supports TLS 1.1. Chrome has deprecated any web site using less than TLS 1.2. Additionally staring with Chrome ver. 81:

Quote

Starting with Google Chrome 81, Chrome will prevent connections to sites that use TLS 1.0 or TLS 1.1. The browser displays a warning page instead that reads "Your connection is not fully secure. This site uses an outdated security configuration, which may expose your information".

https://www.ghacks.net/2019/10/02/tls-1-0-and-1-1-deprecation-chrome-to-display-your-connection-is-not-fully-secure-warnings/

[AndreyT 0]

42 minutes ago, itman said:

Also this web site only supports TLS 1.1.

Online SSLTest on SSLLabs shows that 'adorama.com' supports TLS 1.2.

Enabling TLS warnings in Chrome's internal settings (per your ghacks.net link) produces no warnings for 'adorama.com'.

P.S. Now Firefox also can't access 'adorama.com'  when NOD32 protection is enabled. 

Edited December 13, 2019 by AndreyT

[itman 1,627]

1 hour ago, AndreyT said:

Online SSLTest on SSLLabs shows that 'adorama.com' supports TLS 1.2.

Not according to Qualys SSL Server test: https://www.ssllabs.com/ssltest/analyze.html?d=adorama.com

-EDIT- The site supports both TLS 1.1 and 1.2.

Edited December 13, 2019 by itman

[itman 1,627]

I forgot that Eset has issues with HTTP/2 although the problem usually surfaced in Banking & Payment Protection use.

[AndreyT 0]

38 minutes ago, itman said:

-EDIT- The site supports both TLS 1.1 and 1.2.

Exactly.

[itman 1,627]

I added adorama.com IP address, 8.14.113.35, to Eset's protocol scanning exclusions. It is still failing to connect to the web site because of secure connection issues. So something else is going on here. Most likely, the HTTP/2 issue with Eset.

[Marcos 4,908]

A ticket for developers has been created. We'll keep you posted.

[Atomicmutant 0]

Very interested in a fix for this as well. I have to go in and turn off ESET in order to browse camera gear! 

[Digitaris 0]

FYI - On Windows browsers, I am able to access and browse Adorama's site by adding *.adorama.com* to the List of addresses excluded from content scan list.

https://support.eset.com/en/exclude-a-safe-website-from-being-blocked-by-web-access-protection

This is certainly not the preferred solution, but it serves as a work around for now.

[McBuff 0]

Here's what the Adorama rep emailed me.

Adorama says:
"Our IT team is still currently working on this with ESET. In the meantime, ESET technical support shared that adding the website wildcard .adorama.com/* in the exclude SSL section should make the website accessible again. "

I have no idea what it means. Adding "the wildcard?" Where is the "exclude SSL section?". . .no clue. . .perhaps someone can make sense of this for me. . or give it a try to see if it works. . .honestly it would seem Adorama would be a little more motivated to fix this. . .especially this time of the year. 

 

[itman 1,627]

4 hours ago, McBuff said:

have no idea what it means. Adding "the wildcard?" Where is the "exclude SSL section?". . .no clue. . .perhaps someone can make sense of this for me. . or give it a try to see if it works. . .honestly it would seem Adorama would be a little more motivated to fix this. . .especially this time of the year. 

Click on the Eset link posted in the reply previous to yours.

[McBuff 0]

Thanks itman. . .right in front of my face!! That fixed it. . .except the wildcard Adorama gave me .adorama.com/* didn't work. The Eset instructions said the proper rendering should be *adorama.com*    That one worked!