IPB

Welcome Guest ( Log In | Register )

 
Reply to this topicStart new topic
> KIS 2014 Scan Encrypted Connection & Tor Browser, BUG #786753
beefmaster
post 11.10.2013 00:54
Post #1


Member
**

Group: Members
Posts: 41
Joined: 26.07.2012




What's the most common setting for Scanning Encrypted Connections under Network setting? And still have protection regarding SSL sites? Not all SSL sites are trustworthy.

Tor Browser (TBB) won't connect to SSL sites (esp. using port 443), if Scan Encrypted Connections is on; or, unless I DEactivate monitoring that port in "Monitor selected ports," if Scan EC's was checked.

I'm not sure which is less of a security risk, overall & which allows more browsers to connect to more SSL sites?

With scanning them enabled, Firefox 23 / 24 works OK - except several KIS warnings of strange URLs & "can't verify this certificate" : www.you7t5dyl7.com. Never seen any of them.

With scanning on, it also kinda messed up Tbird, giving several different warnings, "you're about to replace (some certificate) w/ "this one."
I didn't know KIS (anymore) had anything to do w/ Tbird & CAs.

So, I had to turn off scanning encrypted connections & re activated monitoring port 443. Don't know if that the best compromise on those settings, overall - if I want TBB to also work. Any other suggestions?

Thanks.
Go to the top of the page
 
+Quote Post
richbuff
post 11.10.2013 02:11
Post #2


Oldtimer
****************

Group: Moderators
Posts: 48818
Joined: 14.06.2007




Try the default setting: Scan encrypted connections, but not always; rather, only when Parental Control is enabled.


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
beefmaster
post 11.10.2013 02:54
Post #3


Member
**

Group: Members
Posts: 41
Joined: 26.07.2012




Thanks. That's exactly what I had before & Tor Browser - TBB - couldn't / wouldn't connect to many https sites - even ones like Ixquick & Google search, Wikipedia SSL, etc. Early on, turned off KIS & didn't solve TBB's problem. Maybe should've tested it longer - may've been bad relays at that time.

1st, I only disabled monitoring of port 443 & that fixed TBB problem of not connecting to SSL sites. Wasn't sure that was a good idea, overall. Then tried enabling scan all the time while re enabling port 443 monitoring. The scanning part didn't work out so well, so put it back the way you describe (way it was, before I touched anything) & for some reason, TBB was able to connect to SSL sites.

Maybe it was a case where settings were correct, but weren't accurately recorded in the config file.
I've seen it in other apps - behavior doesn't match settings. Sometimes toggling check boxes makes it start working.

What is KIS doing if Scan Encrypted Connections is checked & AND "Only if Parental Contol is enabled," IF you never enable Parental Control? I never had parental control activated, so assume it was never doing anything on EC's?

Other than a gremlin, don't know why those settings didn't work w/ TBB in the 1st place.

EDIT: TBB seems to connect to SSL sites more consistently if Scan Encrypted Connections is completely unchecked. No idea why.

This post has been edited by beefmaster: 11.10.2013 03:06
Go to the top of the page
 
+Quote Post
beefmaster
post 31.10.2013 19:53
Post #4


Member
**

Group: Members
Posts: 41
Joined: 26.07.2012




Richbuff - tried your suggestion a few weeks ago & have played w/ it & newer versions of Tor browser (TBB).
Something very odd happens in each new TBB session. When I open TBB & try connecting to an https site (usually port 443), the browser shows a generic message, "can't connect to...". Usually the reason is very vague, but I can watch the connections / ports in TBB "network map" & see port 443 opening(s) as soon as connection attempt is made, then immediately close.

Discovered by accident, if just close / reopen KIS 2014 (in Vista x64), then Tor browser - http port 443 connections work fine. Until close TBB and / or reboot machine. Must then close / reopen KIS again, for it to again allow TBB port 443 connections.

KIS settings are :

Scan encrypted connections - Checked.
Scan encrypted connections if parental control is enabled - Checked.
NOTE: Help file says:
QUOTE
If Parental Control is disabled, Kaspersky Internet Security does not scan SSL connections.

These settings don't present any problems in regular Fx, AFAIK. But I've consistently proven to myself that w/ these settings, KIS must be stopped / restarted each time TBB opens, to allow port 443 connections (possibly other https ports - not much experience except 443).
Obviously there are differences in Fx & TBB, but don't know what would cause this - on KIS's part.

Even if I've rebooted since last running TBB & open it anew, must still close / reopen KIS, before it'll allow TBB port 443 connections.
By itself, TBB has no problem w/ https connections; in fact, they're preferred when available. No one else on Tor mailing list reports problems connecting to port 443, but no one using KIS responded to my query on the list.

Any other ideas? Don't know that I want to disable scanning all secure connections; though w/ the above settings... - also suggested by richbuff - it may BE - often ? always? skipping scanning of encrypted connections, as I don't have parental control enabled. If Help description is accurate.
Go to the top of the page
 
+Quote Post
Neo X
post 19.11.2013 04:38
Post #5


Newbie
*

Group: Members
Posts: 1
Joined: 19.11.2013




Well, I've been painstakingly trying to get TorBrowser to work, too, and I even raised a support ticket to Kaspersky Lab Technical Support and their response was "Kaspersky is not supported and compatible with the Tor browser. You will have to disable the Kaspersky security should you wish to use Tor."

Right! Since when is firewall software supposed to dictate what applications can be used on a PC without the ability to allow the user to exclude or trust an application short of disabling their protection entirely? Disabling KIS just so I can use a particular browser defeats the whole purpose of having KIS installed as it leaves my PC open to all forms of attack. Any software, whether known to KIS or not, should be excludable or trustable by simply pointing to its executable, surely.

TorBrowser is based on Firefox 17 (although Firefox itself is up to version 25 now). I noticed from the ‘Encrypted connections’ settings dialogue that the Kaspersky Lab certificate must be manually installed into Firefox (which I have now done in accordance with the Kaspersky support page).

However, this did not work. In the end, through experimentation, I managed to find two solutions that worked (besides switching off KIS altogether).

- Turn off the setting to ‘Block connections over SSL 2.0 protocol’, which is odd because Firefox is set to use SSL 3.0.
- Turn on the setting to ‘Do not scan network traffic’ for TorBrowser in the application rules in ‘Firewall settings’.

The question is, which is the safer option as I’m not comfortable with either to be honest, and I think Kaspersky Lab should come up with a proper solution for people using TorBrowser as it is a mainstream browser and firewall software should be configurable for all types of online activity without having to force the user to compromise security by disabling features.
Go to the top of the page
 
+Quote Post
beefmaster
post 19.11.2013 05:57
Post #6


Member
**

Group: Members
Posts: 41
Joined: 26.07.2012




Thanks NeoX,

I'm currently in "middle" of a support case on this. So far, no one has said KIS / KAV isn't compatible w/ Tor Browser (TBB). Though that may be the case.
It's just a browser that AFAIK, doesn't handle https sites any differently.
No one on Tor-talk mailing list had any ideas of actual cause. No one mentioned that they saw problems w/ OTHER AVs / FWs & TBB.

I sent a GIS report to support couple days ago, at their request.
At support's request, also tried UNchecking "scan encrypted connections," to see if disabling completely fixed it. It did NOT.
But, exiting / re starting KIS, immediately AFTER TBB launches (the browser launches, not JUST Vidalia starting), continues to solve the problem.

I'm thinking / hoping support is running it by their advanced trouble shooters.

The fact that TBB & https sites work fine after exiting / re starting KIS, indicates it is compatible w/ TBB. Just some ? bug ? that re starting KIS solves.
Other than a weird bug (in one of the apps), re starting KIS shouldn't have an effect on TBB loading https pages or not. Nothing changes in the way KIS functions or how it handles secure sites, JUST because it's re started.

Rather than completely disabling KIS from scanning TBB, or common ports, I'd lean more toward my "fix" for now (restarting KIS). That way, we're not losing protection.
I have a KIS quick launch icon, so when exit it (then wait maybe 3 sec - not long) & immediately re start it. I wouldn't stop KIS if in the middle of other web activity, e.g., downloading files, loading pages in another browser, etc.

TBB (earlier versions) worked fine w/ KIS '13. Could be something changed in either / both.
I'll try to post if I learn more. Please do the same.

Go to the top of the page
 
+Quote Post
beefmaster
post 4.02.2014 22:15
Post #7


Member
**

Group: Members
Posts: 41
Joined: 26.07.2012




QUOTE(beefmaster @ 18.11.2013 20:57) *
KIS must be stopped / restarted each time Tor Browser (TBB) opens, to allow port 443 connections...
I'm currently in "middle" of a support case on this.

Again, I'm using Vista x64 hm prem SP2. Other versions of Vista or other releases may have different results.

MANY emails later - back & forth with support, they said,
QUOTE
Our developers have deemed the issue to be a bug in our software and working towards a resolution.
...I can offer you a refund on the product...

Probably a bug. After almost giving up, I discovered that disabling Safe Money module in KIS 2014 14.0.0.4651(d) seems to be the culprit.
With Safe Money enabled (w/ default settings), if TBB is started / restarted while KIS is already running, then TBB can't connect to HTTPS sites on port 443.
Exiting & restarting KIS always allowed TBB to make connections on port 443, until TBB was restarted - for any reason.

Disabling Safe Money immediately allows HTTPS / port 443 connections; turning it back on immediately blocks port 443 in TBB, & so on.
When Safe Money is disabled, rebooting the system, or closing both TBB & KIS - then starting them (in any order), still allows port 443 connections.
I didn't try determining if any settings under Safe Money were the problem. Many customizable options in some components (prior years) were removed from KIS 2014 - so users may have fewer tweak options - from the interface.

I haven't had problems w/ other ports, but other users w/ different OSes might. But I found posts about certain ports being blocked in Kaspersky Endpoint Security. For some, turning off certain components (like Web AV) or changing settings (disable heuristics in Web AV) fixed some problems.
Either way, suggest trying turning off protection components - one at a time - to try & isolate the cause. If turning off core protection, be CAREFUL how long it's off and which sites you visit, while core protection is off (e.g., File AV, FW, Network Attack Blocker, etc.).
Go to the top of the page
 
+Quote Post
Rodion Nagornov
post 5.02.2014 11:31
Post #8


Social Media Support Manager
*************

Group: Admin
Posts: 3586
Joined: 23.11.2011
From: Moscow, Russia




Bug #786753
Go to the top of the page
 
+Quote Post
beefmaster
post 5.02.2014 22:08
Post #9


Member
**

Group: Members
Posts: 41
Joined: 26.07.2012




Thanks. Does that mean there's an official Bug #786753 filed?
I can't find anything on it searching the forums, Kaspersky's support site or using ~ 5 search engines on internet.
If a report's posted for #786753, would someone direct me to it?

Other than threads in the forums (like ~ )
I haven't found a bug tracking system for Kaspersky like most major software has. Is there such a searchable bug list / bug tracking site for KIS / KAV, or any Kaspersky products?

edit: del link to unrelated beta testing topic.

This post has been edited by richbuff: 6.02.2014 04:27
Go to the top of the page
 
+Quote Post
Whizard
post 5.02.2014 22:47
Post #10


Professional
***************

Group: Moderators
Posts: 20683
Joined: 19.11.2005
From: Toronto/Canada




The report indicates an internal bug ID, which is only accessible to KL employees.
You can however ask KL Tech Support via my.kaspersky.com if they made any progress fixing it.

This post has been edited by Whizard: 5.02.2014 22:48


--------------------
Networking and Security Guru
~^Whizard^~
Go to the top of the page
 
+Quote Post
beefmaster
post 6.02.2014 05:02
Post #11


Member
**

Group: Members
Posts: 41
Joined: 26.07.2012




Thanks. "The" report?
When was bug 786753 filed & does it specifically mention blocking secure sites or port 443?

I've been working with support for several weeks on this. After weeks of "try this; now this," the support tech said on Feb. 3, 2014, "Our developers have deemed the issue to be a bug." I'm wondering how long they've known about it, or if I'm one of the 1st to report it?

Since my issue was escalated pretty quickly, I'd hope they'd check bug lists for similar issues.

That's one problem w/ companies not having a bug tracking system - at least for "non-security threatening" bugs or ones the dev doesn't consider too sensitive.
Users can't see if their problem has already been reported. Level I support techs for many companies don't always (seem to) use everything at their disposal.

With several other companies, I've spent hours / days / weeks working w/ their support, to learn it was a known bug all along.
Some companies don't want to announce bugs in their software. But as others have pointed out, couldn't anyone looking to exploit weaknesses or competitors looking for "some dirt," just read various forums?
Go to the top of the page
 
+Quote Post
ScottC
post 6.02.2014 05:35
Post #12


Support Escalations Manager
***

Group: KL USA
Posts: 190
Joined: 7.10.2008
From: New England




It's likely a new bug, we do have well-maintained bug lists.
Go to the top of the page
 
+Quote Post
Whizard
post 6.02.2014 18:00
Post #13


Professional
***************

Group: Moderators
Posts: 20683
Joined: 19.11.2005
From: Toronto/Canada




I have not seen vendors like McAffee, Symantec, or ESET publishing their internal bug lists either. The important thing is to follow up with Support. Only they would be able to provide that information. People on this forum are just power users and do not have access to that information, with the exception of KL Employees in green.


--------------------
Networking and Security Guru
~^Whizard^~
Go to the top of the page
 
+Quote Post
beefmaster
post 6.02.2014 23:11
Post #14


Member
**

Group: Members
Posts: 41
Joined: 26.07.2012




Thank you. I wasn't singling out Kaspersky - just pointing out many others' & my (occasional) experiences. That's why I included "other" companies.
No, McAffee, Symantec don't publish bug lists & also don't set the bar very high - in several areas. But many do publish lists - for various types of software.
I guess there's a good reason why some large & small companies publish many, but not all bugs.

I will follow up w/ support (& have). Not the fault of anyone here, but it's taking support days (as in, up to 6 business, 10 total) to reply to each successive email on this. Even (sometimes) when they ask, "Before advising you on the next step, have you tried X, Y or Z?" I answer, along with details). Then may not hear back for days.

If I didn't find the problem component myself (fairly simply), I'd be unable to use KIS with Tor Browser.
Ultimately, I got an equivalent answer to Neo X's - "doesn't work."
I narrowed the problem to Safe Money by reading forum posts (between the lines) - which is good. Though many would do better using outside search engines, not the forum's. I have no software troubleshooting training.
Go to the top of the page
 
+Quote Post
Whizard
post 7.02.2014 01:33
Post #15


Professional
***************

Group: Moderators
Posts: 20683
Joined: 19.11.2005
From: Toronto/Canada




Well, first of all thanks for reporting and second of all KL recognizes it is a bug in their software. Maybe you if you post your ticket reference number, Rodion can follow up with you on that.


--------------------
Networking and Security Guru
~^Whizard^~
Go to the top of the page
 
+Quote Post
lity
post 29.04.2014 18:42
Post #16


Newbie
*

Group: Members
Posts: 1
Joined: 29.04.2014




Any hot-fixes or bug #786753 progress?

I don't understand how i can check bug progress.
Go to the top of the page
 
+Quote Post
Nikita Shembel
post 30.04.2014 07:10
Post #17


Technical Support Engineer
***

Group: KL Russia
Posts: 158
Joined: 10.06.2013




Unfortunately there is no new information regarding this bug yet.
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic

 



Lo-Fi Version Time is now: 22.08.2014 19:42