zhladik 0 Posted April 24 Posted April 24 At end of last week ESET released Internet Protect module V1475 (also may be 1475.1 have same problem ?) which caused big mass problems to NodeJS based applications including Github Testing tools etc. Topic is discused In this forum thread https://forum.eset.com/topic/40702-eset-ssl-protection-produces-an-invalid-certificate-chain-for-nodejs-apps which is accessible without registration but with broken Captcha so it is almost impossible to write to the thread. Reason of breaking of NODEJS is moving Node.exe based application to area of implicit TLS inspection. To be able to do it Eset must inject local special certificate CA to list of trusted CA certificates. Usually it is handled by Windows Certificate storage or by explicit handle of well known browsers or other handled apps. But NodeJS uses hard-coded CA list (?) and ESET overlooked this problem. Fix in V1476 of module probably simply removes nodejs from filtered TLS. But it is NOT SECURE SOLUTION. I suppose ESET tried to add filtering because malware uses javascript very often. So there is very usable to inspect TLS communication from secured computer. So as there is cookbook about manual adding of "ESET Filter CA" to list of trusted CA's let's switch TLS checking on even after fixed version revert implicit exclusion of nodejs TLS check. There is possible to use automatic script for export and add CA, I will send script to github repo https://github.com/the-last-byte/ESET-NPM-Breakage-Fix . So use it is good step to improve nodejs security. After this you can switch ESET Explicitly on check of node.exe.
Administrators Marcos 5,458 Posted April 24 Administrators Posted April 24 Internet protection 1475.1 fixes the issue with NodeJS. It's currently available on the pre-release update channel and for consumer products, with Endpoint to follow soon.
zhladik 0 Posted April 24 Author Posted April 24 Thanks for info, I got little messy feedback from customers about problematic versions. But if I understand, fix simply reverts NODEJS to exclusion of TLS check? So state will be not optimal for javascript security, So some help for manual config accommodation will help I hope. I recommended switching on explicit check of node.exe, but we not yet tested slowdown penalty for data heavy applications...
Clement Y 1 Posted April 26 Posted April 26 My endpoint version 11.0.2044.0 still having the problem. My application can't use API. Trustable3347 1
Recommended Posts