taffy881 0 Posted June 25, 2021 Posted June 25, 2021 I have a client that can't access a website due to it being blocked by Eset. I've had a look and the site looks to be fine - https://www.ssllabs.com/ssltest/analyze.html?d=metlife.com&s=209.164.208.7 Client needs this working so some help would be appreciated.
Administrators Marcos 5,458 Posted June 25, 2021 Administrators Posted June 25, 2021 I'm not getting any warning at metlife.com.
taffy881 0 Posted June 25, 2021 Author Posted June 25, 2021 I can't see anything wrong either yet is seems every machine with ESET is saying different? Same thing, from 2 different machines.
Administrators Marcos 5,458 Posted June 25, 2021 Administrators Posted June 25, 2021 Can the user still reproduce it? Maybe the certificate has been replaced in the mean time. You can ask the user to enable advanced network protection logging under tools -> diagnostics, reproduce the alert, disable logging and eventually collecting logs with ESET Log Collector for perusal.
itman 1,803 Posted June 25, 2021 Posted June 25, 2021 (edited) Appears to be an Eset Banking and Payment Protection issue in ver. 14.2.10. When I tried to access metlife.com in FireFox, Eset B&PP window opened and asked if I wanted to permanently remember web site. I replied yes. The web site opened w/o issues. Exited Eset B&PP mode. Next I checked in Eset Web Access protection if the metlife.com cert. was present. It was not. I then tried again to access metlife.com. Eset B&PP window opened with the following: When I tried to access certificate data via the link provided, the open execution error was shown. Err ..... a .cer file is an executable? Never have seen anything like this previously when using Eset, Edited June 25, 2021 by itman
taffy881 0 Posted June 25, 2021 Author Posted June 25, 2021 So looks like something up on the server side rather than ESET or the local machines then 🙂 Glad I wasn't going mad then.....
itman 1,803 Posted June 25, 2021 Posted June 25, 2021 (edited) 1 hour ago, taffy881 said: So looks like something up on the server side rather than ESET or the local machines then I don't think so. If is was a server issue, the metlife.com web site would have never opened initially in Eset B&PP. Another possible issue here is Eset has not whitelisted this web site from SSL/TLS protocol scanning. In other words, it's using Eset root CA certificate for web site cert. chain validiation. The issue might lie here. See next posting. Edited June 25, 2021 by itman
itman 1,803 Posted June 25, 2021 Posted June 25, 2021 (edited) I disabled Eset SSL/TLS protocol scanning and FireFox notified me the web site certificate was revoked. So access to the site is not an Eset issue. There is a big issue however with Eset B&PP allowing initial access to a web site with a revoked certificate. Edited June 25, 2021 by itman
Administrators Marcos 5,458 Posted June 25, 2021 Administrators Posted June 25, 2021 16 minutes ago, itman said: There is a big issue however with Eset B&PP allowing initial access to a web site with a revoked certificate. A website utilizing a revoked certificate should be blocked regardless whether you choose to open it in a secure or normal browser.
itman 1,803 Posted June 25, 2021 Posted June 25, 2021 18 minutes ago, Marcos said: A website utilizing a revoked certificate should be blocked regardless whether you choose to open it in a secure or normal browser. It wasn't in B&PP mode and that's the issue! Also to clarify my initial posting in this thread, there was a strange Let's Encrypt cert. that appeared in Eset 's List of known certs. that I deleted prior to re-accessing metlife.com and Eset's subsequent revoked cert. detection in B&PP mode.
itman 1,803 Posted June 25, 2021 Posted June 25, 2021 (edited) To add to this "mystery." I just rescanned metlife.com using the QUALS SSL Server web site site and received the same results that OP's posting linked. It scanned clean w/o any issues. Of note is the IP's resolved were 209.164.208.7 and 209.164.192.109 with domain, metlife-benefits.com shown. Note that Firefox shows the following with Eset SSL/TLS protocol scanning disabled: It appears that some type of Internet backbone DNS hijacking activity is occurring here in regards to metlife.com. Edited June 25, 2021 by itman
itman 1,803 Posted June 25, 2021 Posted June 25, 2021 (edited) I think we've entered the 'Twilight Zone' here. Metlife.com now opens in Eset B&PP w/o issue. How is this possible w/o having the web site stored in Eset's List of known certs..? Note that Eset's root CA cert. is being deployed here. -EDIT- Now metlife.com is blocked again in Eset B&PP. I would saw now that we have entered the 'Outer Limits.' Edited June 25, 2021 by itman
Administrators Marcos 5,458 Posted June 25, 2021 Administrators Posted June 25, 2021 Whether a website opens in a secure browser or not depends on the list of protected websites in the BPP setup, not on the list of known certificates.
itman 1,803 Posted June 25, 2021 Posted June 25, 2021 5 minutes ago, Marcos said: Whether a website opens in a secure browser or not depends on the list of protected websites in the BPP setup, Oops! . Just deleted metlife.com from there. Now I will attempt to duplicate the initiate access allowing by B&PP.
itman 1,803 Posted June 25, 2021 Posted June 25, 2021 2 minutes ago, itman said: Now I will attempt to duplicate the initiate access allowing by B&PP. Can't duplicate it again. I also believe I know what happen initially. Based on current 'Outer Limits' behavior, appears that in certain attempted browser accesses to metlife.com, one will actually reach the legit web site.
itman 1,803 Posted June 25, 2021 Posted June 25, 2021 For what it's worth, Eset Web Access log shows IPv6 address, 2600:9000:203a:fc00:1f:f4ef:96c0:93a1, every time the revoked cert. alert appears. This IP address is associated with "Reach;" whomever that is, and doesn't appear to be legit for Internet routing puroses.
itman 1,803 Posted June 25, 2021 Posted June 25, 2021 Looks like the metlife.com access issue has been resolved. Summarizing, there was either hacked or misconfigured Internet DNS relay server being accessed with attempted connection being routed to somewhere other than metlife.com. Depending on where you reside, among other factors, would determine the likelihood of you reaching this server.
Recommended Posts