Jump to content

URL Address Management Exclusions Not Working


Recommended Posts

I thought from what was given in the SS 8 manual that if a HTTPS address was entered in the "list of addresses excluding from filtering", the domain would be excluded from SSL scanning. SSL protocol scanning is set to always.

 

I tried various formats such as https://www.bankofamerica.com, https://*.bankofamerica.com/*, etc., yet Eset SLL protocol scanning is still enabled by virtue of it's cert. being used on the above domain web page.

Link to comment
Share on other sites

You have to enter the domain without any protocol. So instead of https://*.eicar.org, e.g. enter *.eicar.org. I used this example, because you can test it with the eicar file quite well.

But why would you like to exclude https://www.bankofamerica.com? I mean it's a legitimate site, but what would be the advantage to exclude it?

 

However there is also another (better) way how to exclude sites completely from SSL scanning: In the SSL scanning settings, under "certificates" there is a list of excluded certificates. You can add certificates there by following the following steps:

  1. Set SSL scanning to "Ask about non-visited sites (exclusions can be set)". (the last part is the interesting part for us :))
  2. Visit the site you want to exclude.
  3. You should be presented with a prompt, which asks you what you want to do:
    post-0-0-28168100-1429044266_thumb.png
  4. And finally there you can click on "Exclude" button at the left.
Edited by rugk
Link to comment
Share on other sites

 

You have to enter the domain without any protocol. So instead of https://*.eicar.org, e.g. enter *.eicar.org. I used this example, because you can test it with the eicar file quite well.

But why would you like to exclude https://www.bankofamerica.com? I mean it's a legitimate site, but what would be the advantage to exclude it?

 

However there is also another (better) way how to exclude sites completely from SSL scanning: In the SSL scanning settings, under "certificates" there is a list of excluded certificates. You can add certificates there by following the following steps:

  1. Set SSL scanning to "Ask about non-visited sites (exclusions can be set)". (the last part is the interesting part for us :))
  2. Visit the site you want to exclude.
  3. You should be presented with a prompt, which asks you what you want to do:

    attachicon.gifSSLScanning_CertificatePrompt.png

  4. And finally there you can click on "Exclude" button at the left.

 

Well, the *.bankofamerica.com url exclusion only worked on the www. domain; not on any of the 8+ other domain names it uses. It uses a cert. for each web page it displays on its web site. So I went the certificate exclusion route for those. I also decided to let Eset's SSL protocol fllter check the other domains I encountered on that site such as *.vo.mscnd.net, x.cardlytics.com, image.get.bills.com and God knows what else. You can't even trust your bank these days!

 

A suggestion to Eset is to follow Avast's lead and auto exclude all bank and major financial web sites from SSL filtering. Would save a lot of work for us poor users.

 

BTW - I exported Eset's certificate into Thunderbird and changed to it to web site verification and that appears to be working OK.

 

Question - There was a web posting last year about Eset's SSL protocol downgrading TLS connections to ver 1.0. From what I can determine, that appears to be fixed . Is this indeed the case? 

Edited by itman
Link to comment
Share on other sites

Normally the exclusion (*.domain.com) should work on all subdomains.

 

About the thing with Avast: What advantage would it have to exclude all banking sites from SSL scanning?

 

About TLS support: I didn't found a post about this from last year, but a much more recent one:

SSL Inspection TLS 1.2 Support?

And there you can read that TLS 1.2 support is already implemented, but with Firefox it often falls down to TLS v 1.1. I tested it and in my test the "newest" TLS version I could get was 1.0:

post-3952-0-18308800-1429135190_thumb.png

tested with Internet protection module: 1173B.3 (20150324)

 

But as you see a fix will be released in Internet protection module 1181+.

Link to comment
Share on other sites

About the thing with Avast: What advantage would it have to exclude all banking sites from SSL scanning?

 

Nothing should be intercepting encrypted data to sensitive web sites such as your banking sites and the like for any reason. It violates the whole principle behind SSL encryption. Sorry, I don't trust anyone when it comes to my financial data. I use EMET's certificate pinning for those sites to verify that the certificate authorization chain is intact.

 

If you can't trust your banking web site to be malware free, you need to find a different bank to do business with.

Edited by itman
Link to comment
Share on other sites

Okay,  I can understand this. Then you can exclude them.

Adding this by default wouldn't be a good idea I think. Additionally there are many banking sites worldwide, so this would be a high effort for ESET.

 

But BTT you could exclude it now successfully?

Link to comment
Share on other sites

Okay,  I can understand this. Then you can exclude them.

Adding this by default wouldn't be a good idea I think. Additionally there are many banking sites worldwide, so this would be a high effort for ESET.

 

But BTT you could exclude it now successfully?

Yes, was able to successfully able to exclude what I had to cert-wise. Was an interesting exercise in that I picked up a dodgy hidden cert. on the bank web site. 

 

One solution would be for an option for Eset to allow cert path verification for excluded certs. but not scan the traffic using the SSL protocol feature. As I understand it, once the web site cert. is excluded, Eset will not verify the cert. chaining path to the Trusted Root CA store?  

Link to comment
Share on other sites

One solution would be for an option for Eset to allow cert path verification for excluded certs. but not scan the traffic using the SSL protocol feature. As I understand it, once the web site cert. is excluded, Eset will not verify the cert. chaining path to the Trusted Root CA store?

No if it's excluded not. This will then be done - like it's normally done - by your browser.

However it doesn't matter "who" it does. The only advantage (besides the malware scanning of course) would be that you can (theoretically) check the certificates yourself and built up a list of trusted certificates with ESET. To do so you of course would need to use the mode "Ask...".

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...