Product:  KSC 11+

Applies also to the update utility version 4.1 and more recent.

KL uses HTTP public key pinning mechanism to verify update server authenticity; certificate used for authentication is self-signed by KL. Using any MITM-based solutions for SSL traffic inspection will lead to failures in establishing connection between KSC and a HTTPS-enabled KL update source. It happens because any MITM traffic inspection will forward a wrong certificate to KSC after inspection and KSC11 will break the connection.

The following string can be found in up2date trace:

self signed certificate in certificate chain

The following trace files are required for accurate diagnostic: $up2date-1103.*, $up2date-1103-eka.*

Please bear in mind that Kaspersky Support needs KSC traces mentioned above to be collected BEFORE you apply any of the workarounds listed in this post. 

1. If you have KSWS blocking traffic, add Up2Date.exe process or the update source certificate to trusted in Traffic Security settings.
2. If you use a 3rd party appliance to filter traffic, you can explicitly allow traffic signed by KL certificate.
3. Otherwise you can use HTTP to download updates. There are two ways to make KSC use HTTP:

   1. Set a server flag on KSC using following commands:

      klscflag.exe -fset -pv klserver -s Updater -n DisableKLHttps -t d -v 1

      and on Update Agents (Distribution Points) getting updates from the internet, if any:

      klscflag.exe -fset -pv klnagent -s Updater -n DisableKLHttps -t d -v 1

   2. Explicitly set update task to use HTTP sources URLs, for example http://p00.upd.kaspersky.com. Full list of HTTP-enable sources can be found in <insecure_sites_list> parameter in http://dnl-05.geo.kaspersky.com/updates/upd/updcfg2.xml
4. Download updates using update utility 4.0. More recent version of update utility uses https.