Jump to content

Recommended Posts

Posted

I have a client that can't access a website due to it being blocked by Eset.

I've had a look and the site looks to be fine - https://www.ssllabs.com/ssltest/analyze.html?d=metlife.com&s=209.164.208.7

Client needs this working so some help would be appreciated.

  • Administrators
Posted

I'm not getting any warning at metlife.com.

Posted

I can't see anything wrong either  yet is seems every machine with ESET is saying different?

Same thing, from 2 different machines.

Screenshot 2021-06-25 131049.jpg

  • Administrators
Posted

Can the user still reproduce it? Maybe the certificate has been replaced in the mean time.

You can ask the user to enable advanced network protection logging under tools -> diagnostics, reproduce the alert, disable logging and eventually collecting logs with ESET Log Collector for perusal.

Posted (edited)

Appears to be an Eset Banking and Payment Protection issue in ver. 14.2.10.

When I tried to access metlife.com in FireFox, Eset B&PP window opened and asked if I wanted to permanently remember web site. I replied yes. The web site opened w/o issues. Exited Eset B&PP mode.

Next I checked in Eset Web Access protection if the metlife.com cert. was present. It was not. I then tried again to access metlife.com. Eset B&PP window opened with the following:

Eset_MetLife.thumb.png.b83a8507d325a764a6195f149d95d367.png

When I tried to access certificate data via the link provided, the open execution error was shown. Err ..... a .cer file is an executable?

Never have seen anything like this previously when using Eset,

Edited by itman
Posted

So looks like something up on the server  side rather  than ESET or the local machines then 🙂

Glad I wasn't going mad then.....

Posted (edited)
1 hour ago, taffy881 said:

So looks like something up on the server  side rather  than ESET or the local machines then

I don't think so. If is was a server issue, the metlife.com web site would have never opened initially in Eset B&PP.

Another possible issue here is Eset has not whitelisted this web site from SSL/TLS protocol scanning. In other words, it's using Eset root CA certificate for web site cert. chain validiation. The issue might lie here.

See next posting.

Edited by itman
Posted (edited)

I disabled Eset SSL/TLS protocol scanning and FireFox notified me the web site certificate was revoked. So access to the site is not an Eset issue.

There is a big issue however with Eset B&PP allowing initial access to a web site with a revoked certificate.

Edited by itman
  • Administrators
Posted
16 minutes ago, itman said:

There is a big issue however with Eset B&PP allowing initial access to a web site with a revoked certificate.

A website utilizing a revoked certificate should be blocked regardless whether you choose to open it in a secure or normal browser.

Posted
18 minutes ago, Marcos said:

A website utilizing a revoked certificate should be blocked regardless whether you choose to open it in a secure or normal browser.

It wasn't in B&PP mode and that's the issue!

Also to clarify my initial posting in this thread, there was a strange Let's Encrypt cert. that appeared in Eset 's List of known certs. that I deleted prior to re-accessing metlife.com and Eset's subsequent revoked cert. detection in B&PP mode.

Posted (edited)

To add to this "mystery." I just rescanned metlife.com using the QUALS SSL Server web site site and received the same results that OP's posting linked. It scanned clean w/o any issues. Of note is the IP's resolved were 209.164.208.7 and 209.164.192.109 with domain, metlife-benefits.com shown.

Note that Firefox shows the following with Eset SSL/TLS protocol scanning disabled:

Eset_Revoked.thumb.png.6088edc2d9567ab4fcb1102310ca453e.png

It appears that some type of Internet backbone DNS hijacking activity is occurring here in regards to metlife.com.

Edited by itman
Posted (edited)

I think we've entered the 'Twilight Zone' here.

Metlife.com now opens in Eset B&PP w/o issue. How is this possible w/o having the web site stored in Eset's List of known certs..? Note that Eset's root CA cert. is being deployed here.

-EDIT- Now metlife.com is blocked again in Eset B&PP. I would saw now that we have entered the 'Outer Limits.'

Edited by itman
  • Administrators
Posted

Whether a website opens in a secure browser or not depends on the list of protected websites in the BPP setup, not on the list of known certificates.

image.png

Posted
5 minutes ago, Marcos said:

Whether a website opens in a secure browser or not depends on the list of protected websites in the BPP setup,

Oops! :wub:. Just deleted metlife.com from there. Now I will attempt to duplicate the initiate access allowing by B&PP.

Posted
2 minutes ago, itman said:

Now I will attempt to duplicate the initiate access allowing by B&PP.

Can't duplicate it again.

I also believe I know what happen initially. Based on current 'Outer Limits' behavior, appears that in certain attempted browser accesses to metlife.com, one will actually reach the legit web site.

Posted

For what it's worth, Eset Web Access log shows IPv6 address, 2600:9000:203a:fc00:1f:f4ef:96c0:93a1, every time the revoked cert. alert appears. This IP address is associated with "Reach;" whomever that is, and doesn't appear to be legit for Internet routing puroses.

Posted

Looks like the metlife.com access issue has been resolved.

Summarizing, there was either hacked or misconfigured Internet DNS relay server being accessed with attempted connection being routed to somewhere other than metlife.com. Depending on where you reside, among other factors, would determine the likelihood of you reaching this server.

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...