Interesting Browser Pop-up w/SSL Protocol Scanning Enabled

[itman 1,659]

Win 7 SP1 x64, IE11, Smart Security ver. 8

 

My question is how did this occur? With SSL protocol scanning enabled, Eset should be intercepting all certificate related issues?

 

[rugk 397]

I doubt this is an issue with ESET SSL scanning as it indeed should intercept all traffic and in this case the certificate would be valid.

So generally: Click on "No" when such a popup appears. It's bad enough that IE let's you click through such a message so easily.

 

Also how do you get the AT&T bar there. It seems you are on Yahoo.com and the site is a HTTPS site, so there should be nothing from AT&T. Is your internet provider AT&T by instance? If so they are intercepting your traffic.

When visiting Yahoo.com: Was there a similar error message, which had something to do with SSL/TLS? Could you please also click on the lock icon (in the address bar on the right) and show the certificate issued for Yahoo?

 

Generally: Can you try it with SSL/TLS scanning disabled and tell us if you see a difference?

 

As for the message popup I found this thread in the Microsoft community: https://answers.microsoft.com/en-us/ie/forum/ie11-iewindows8_1/what-is-this-certificate-of-btrllcom-that-keeps/f8dc5922-3dc3-4a40-a2d1-849409251b6b?auth=1

The issue they describe there is very similar to yours. Could you please have a look at the thread? It seems there is some PUA installed on your computer, so can you enable the option to detect PUAs in ESET and run a full disk scan?

Alternatively also switching to Firefox may help (temporarily), but be sure to get rid of the PUA anyway. You may also use third-party scanners and try to reset IE.

 

Please let us know of the result and the name a potential PUA was detected. Also get rid of the AT&T bar there - why on hell do they intercept your traffic?

[itman 1,659]

I use both Eset and Emsisoft Anti-malware. Both products have always had PUA and PUP detection enabled from install day one. I also run Adaware periodically and always 100% clean. Recently ran full network drive scans w/ both Eset and EAM and 100% clean. Bottom line - I don't have adware installed. 

 

As far as AT&T, they always have and probably always will use Yahoo as their content provider. As I understand it "*.btrll.com" is Yahoo's search engine. And obviously it is using a borked self-signed cert.. No MITM ###### or the like going on.

 

Again, I was just surprised to see Eset not catch the bad cert. since it is the one responsible for certificate validations per it acting as a SSL proxy. On the other hand, at least Eset is not 100% overriding the browser cert. validations. So at least there is protection against improperly signed certs..

 

-EDIT- There also appears to be a lot of misinformation about btrll.com on the web. This should clear it up: https://source.ind.ie/better/content/blob/990d2329b03e2d69d87f67378b54b6f17c9ecbcc/trackers/btrll.com/index.md

Edited July 8, 2016 by itman

[itman 1,659]

Issue resolved. I added *.btrll.com/* to list of blocked URLs in Eset web filtering. Since its a web tracker, should be blocked per se.