ESET SSL protection produces an invalid certificate chain for NodeJS apps

[Guest Bovine]

Had the same issue here. Spent the past 6 hours trying to figure out what .exe's we needed to add to the SSL/TLS exemption list, but I don't feel comfortable with that. our github pulls were erroring. Have open ticket right now, but no response yet. I found that I had to add all the runner .exe's to the exemption list, in addition to the node.exe files to get it to work properly. runner.listener, createdump, runnerplugin, runner.plluginhost, and runnerservice were added, but I couldn't keep more of our developers time to test which of those could be removed. If anyone has insight on that, it would be appreciated.

[Guest James]

Strangely I can't reply if I make an account... what's the point?

That aside, I wanted to address some of @Warren's / others comments:

Quote

or reduce security from what was available prior to this new feature being implemented.

This is only true if you are silly enough to take the nuclear option of turning it all off. If you simply whitelist node in the SSL screen then you have the exact same protection you had before the update. (that is, no Node protection)

What @Macros said in the previous page here is that they have extended the SSL protection to Node on a base level; which is a massive security enhancement considering that supply chain attacks are becoming one of the most common ways to distribute malware. Frankly I was surpised to learn this wasn't the case before, but I welcome the change.

Quote

You have to work with the software that's released not some imaginary version that has the behaviour you want it to.

True, but in ESETs defense the Windows certificate store has been around since the beginning of time and is a fundamental core security feature of windows. The fact that OpenSSL took until late 2023 to even implement that is extremely questionable and if Node itself is going to claim windows compatibility then they should have done that themselves also a long time ago. There is no excuse for that. All three parties here are to blame, and I would point to Node itself as the biggest offender.

It's the same problem with all Linux centric Open Source software. The Linux elitists laugh at implementing / fixing windows issues until there is enough pushback from the windows developer community to make it worth their while... and they usually do so grudgingly. This situation is no different.

The Node certificate issue has always been a problem on Windows even outside this and if you look at what @itman posted, that Github issue is not even from the Node team.... that is only a suggestion from a user to implement it. And to my point above, notice how much traction it's getting? ZERO. If they had of fixed that back in Jan 2024 when it was posted we wouldn't be in this situation.

Quote

And what is the fix? To not SSL/TLS scan node.js apps?

I would also like to know the answer to this. 

Quote

[we] also have a say in our companies' cybersecurity budgets. 

... and other veiled threats about changing virus scanners or never giving ESET money is entirely short sighted thinking. If you do, you better do your research... because if you switch to a scanner that doesn't provide node protection and your company gets infiltrated in a supply chain attack aren't you going to look silly. In addition, it's entirely possibly when / if said other company gets around to scanning Node they make the same mistake as ESET because Node didn't fix the problem on their side. Thus you are in the same position you are today... only you look more stupid because you made the same mistake twice. If you find a better product by all means switch but don't do it out of spite.

So any Node Windows developer here worth their salt, take 5 mins out of your day, right now, and go to https://github.com/nodejs/node/issues/51537 and upvote / comment, whatever you have to do to get Node's attention to fix it once and for all.

Now, to ESET, couple of things:

1. I think you got the point by now but some well advanced communication on this issue would have been exremely helpful.
2. I am not sure how this was tested but 2 seconds from anyone working with node in windows would have caught this in a second. Unable to install any package is huge giveaway something was seriously wrong. I don't think I need to say this, but I will anyways, you need to improve your testing OR:
   1. Us developers are generally decent people, if you don't have the resources to properly test such changes, reach out and we can help test in a safe branch before breaking tons of stuff. 
   2. Baring the above, this probably should have been implemented first as an optional feature, with a separate button, which was called out in a popup when the update rolled out. 
3. Replying to someone who is not even a customer reporting a serious issue which included a very detailed technical breakdown with "well make a report then" is completely out of line. Were your fingers broken or something? The time it took you to write that you could have made the report and it only exacerbated the issue to your users making you look like you don't care.

[Guest I lost 2 hours]

On 4/22/2024 at 8:08 PM, Marcos said:

This Quick questions forum is for guests and does not require registration as it serves only for quick questions. It was not meant for reporting issues according to this forum rules:

4, Ask only simple questions. If you want to report an issue, inquire about your license, etc., create a forum account first. This forum is not intended for lengthy discussions.

A correct procedure for reporting issues is by raising a support ticket. Should you want to report an issue in this forum in the future, please sign up first and make a post in the appropriate product forum.

As for the issue, the whole problem is that Nodejs does not use the system trusted root CA certificate store while there is a bunch of Nodejs malware that our and other AV users want to be protected against at the network level. We hope that Nodejs will use the system TRCA cert. store in the future to allow that.

We have provided possible workarounds in this topic.  We have reported the issue to developers on Friday, ie. today is the first work day since the report. We are already testing Internet protection module 1475.1 with a fix which will be available on the pre-release update channel shortly, with release on the regular update channel to follow soon.

It is very disappointing that there are no instructions or links to helpful documentation for applying the pre-release.

[Guest Andris]

This same issue is affecting more then jusynode.js, github co-pilot also don't work after this latest esset update!!! Honestly I feel esset is more harmful to me then potential threats its suppose to protect from. 

[itman 1,668]

9 hours ago, Guest I lost 2 hours said:

It is very disappointing that there are no instructions or links to helpful documentation for applying the pre-release.

https://support.eset.com/en/kb3415-enable-pre-release-updates-in-eset-windows-home-products - also applicable to unmanaged Eset Endpoint installations.

https://support.eset.com/en/kb7957-enable-pre-release-updates-in-eset-endpoint-products-in-eset-protect

[itman 1,668]

FYI -looks like Eset has released Internet protection module 1475.1 to production. I see it installed on my ESSP installation.

Does this resolved the root cert. issues for everyone?

[Guest Kyle]

1 hour ago, itman said:

FYI -looks like Eset has released Internet protection module 1475.1 to production. I see it installed on my ESSP installation.

Does this resolved the root cert. issues for everyone?

I updated today and still have the same issues.

[Guest Jacob I lost 4 hours]

1 hour ago, itman said:

FYI -looks like Eset has released Internet protection module 1475.1 to production. I see it installed on my ESSP installation.

Does this resolved the root cert. issues for everyone?

Does it resolve it for you, @itman? Checking for updates on my ESET Server Security install does not yield this new version, yet.

[Guest Mr. H]

Newest update ESET fixes it!

- Make sure to reset your cafile using 

npm config delete cafile

if you tried to set a local certificate (that didn't work), otherwise it will still use that.

[Guest Kyle]

2 hours ago, Guest Jacob I lost 4 hours said:

Does it resolve it for you, @itman? Checking for updates on my ESET Server Security install does not yield this new version, yet.

Same. My Internet Protection Module is still at version 1474.

[Guest HladikZ]

As I was informed by ESET support the Internet control module version  with FiX (realay no fix but revert to a dirty unsecured state of nodejs apps security) will be 1476. But on my tests, it seems module 1475.1 from 22.4. yesterday inserted ESET cert,  and this caused the problem. but today node.exe stopped to being blocked error this way and ESET module still has same version number.

It seems ESET modified behavior of TLS control other way! I thing it is not good idea. We are not sure if our dirty trick work or no!!

For better defense of broken nodejs ecosystem it is good to use Environment var pointed exported ESET SSL filter CA (https://github.com/the-last-byte/ESET-NPM-Breakage-Fix) and explicitly switch to ON state NODE app control in ESET. BTW exporting of certificate is scriptable by MS Certutil and if you place it to user read only directory your NodeJS app will be little more secure...
 

[Guest ESET user]

still can't working with version 11.0.2044.0 , will it be a update to fix that ?

[itman 1,668]

7 hours ago, Guest ESET user said:

still can't working with version 11.0.2044.0 , will it be a update to fix that ?

You will either have to wait until Internet protection module ver. 1475.1 is released for Eset commercial products: https://forum.eset.com/topic/40811-proper-solution-of-fixing-problem-with-invalid-certificate-chain-for-nodejs-apps/?do=findComment&comment=183333 or switch each endpoint device to pre-release updating which will install Internet protection module ver. 1475.1. 

[Guest Jano Svitok]

With version 1475.1 npm install/npm ci works, but we still can't build angular app. We get following error during build:
 

> ng build --configuration production

- Generating browser application bundles (phase: setup)...
Browser application bundle generation complete.
Browser application bundle generation complete.
- Copying assets...
- Copying assets complete.
- Generating index html...

Index html generation failed.
Inlining of fonts failed. An error has occurred while retrieving https://fonts.googleapis.com/css2?family=Roboto:wght@300;400;500&display=swap over the internet.
  unable to get local issuer certificate

Can we please get description how the current filter works?

Thanks!

Jano

[Marcos 5,090]

The SSL/TLS communication for NodeJS is no longer filtered. A module that disabled it was released a couple of days ago for all users.

[itman 1,668]

7 hours ago, Guest Jano Svitok said:

Inlining of fonts failed. An error has occurred while retrieving https://fonts.googleapis.com/css2?family=Roboto:wght@300;400;500&display=swap over the internet.
  unable to get local issuer certificate

Not Eset related. Refer to this article: https://github.com/angular/angular-cli/issues/26645

Edited Friday at 01:53 PM by itman