Visiting a domain with an untrusted certificate

[Deadlock4400]

 

 

Hello Everybody,

Getting  the message: "Visiting a domain with an un-trusted certificate".

Tried into above network setting no luck.

Also from Web Threat Protection> Trusted Web Address the site was added but still the same warning showing.

 

@Deadlock4400 

[raviparker]

I don’t think Kaspersky is the issue here. Did you tried Opening the same website with any other browser?

Because browsers too block such requests and don’t allow you to proceed further.

[sreyas]

Its an issue with Kaspersky only, If we pause the protection there won't be any warning. We need some way to do the exclusion.

 

[raviparker]

Maybe this can help doing it the first time by the user:

When user encounter this page..

 

[sreyas]

Maybe this can help doing it the first time by the user:

When user encounter this page..

 

End-users can’t follow this always, this is just a workaround. There should be some permanent way to do exclusion for known sites.

[Deadlock4400]

I don’t think Kaspersky is the issue here. Did you tried Opening the same website with any other browser?

Because browsers too block such requests and don’t allow you to proceed further.

hello @raviparker 

See the first screen shot, there below left corner you can Kaspersky logo. 

 

It’s fine that the website has certificate or other problem, but there should be some way to exclude such irritating problem.

Dear @Nikolay arinchev  can you please answer something cool over here and make a awesome solutions !

 

Thanks -

@Deadlock4400  

[ak01]

The 2nd screenshot shows that „Scan encrypted connections” is not activated. KES should not touch encrypted traffic.

However if it is activated now, I would try to put the domain of the requested site into “trusted domains”.

[Deadlock4400]

hello @ak01 

Thanks for your reply.

Option “Scan encrypted connection” was ON n OFF both way tasted. Even i use the trusted domain also. I follow the below web link -

https://community.kaspersky.com/kaspersky-total-security-14/untrusted-root-center-site-blocked-connection-not-protected-and-can-t-exclude-it-i-understand-the-risks-is-not-available-812

 

also follow -

https://support.kaspersky.com/common/safemoney/12489?_ga=2.177839013.1039545886.1578383781-833333344.1575652241#block5

 

No way out!!

 

[ak01]

Are you sure you edit the right Policy (which applies to that computer)? I would check the local KES settings if it correctly applies your changes in the policy.

[Deadlock4400]

hello @ak01 

 

There is a single policy, so don’t thing a mistake was made over there

[ak01]

ok.

Are you sure that this policy applies to that computer (computer is correctly moved to “managed computer” or a subfolder, computer is listed as alive, agent is running and synchronized with KSC, ...)?

[Erwin NL]

I have the exact same problem since i updated my KES clients to 11.2.0.2254 last Friday, i am unable to connect to my local VMware vSphere web page because the option “I understand the risk, but want to proceed” is missing, when i disable KES 11.2.0.2254 the web page loads without issues.

 

A little side note the address is added to "Web threat protection” \ “Trusted web addresses” but that does not resolve the problem.

The certificate has also been added to my Windows 10 local computer certificate store, still no change, within Firefox i am unable to import the certificate because Firefox says there is no need to import it since it is a trusted certificate, the issue here is KES.

 

I also suddenly have problems with R&D software tools which worked fine but since the KES upgrade to 11.2.0.2254 suddenly are no longer able to write to remote network drives, the policy is in place and the clients are part of the managed devices\clients.

[Erwin NL]

In the first picture you can see that i cannot connect to the vSphere website, in the second picture i first tried to disable the KES policy butt that did not change the situation then i shutdown the KES application and i could immediately connect to the vSphere website without any problems.

 

PIC.01

 

PIC.02

 

[ak01]

I can only tell you what I do: I disabled the “scan encrypted connections” feature internally because we have another solution to scan encrypted traffic. So far that works (KES does not intercept the traffic), that is why I asked if the policy in the first post might not apply to the mentioned computer (this option works for me, also with KES11.2).

I only enable that feature outside of the company and at home (for example) where I do not have self- signed certificates.

[sd75]

Exact same problem here with KES Std 11.2.

I have 38 engineers unable to access our ESX lab web management interfaces, unless I completely disable scanning of encrypted connections, which is also quite annoying. 

[Erwin NL]

@sd75 

 

For vSphere and ESX local management websites i was able to resolve this problem easily by downloading the root CA from the vSphere and ESX local management websites and then importing these into the local computers store under "Trusted Root Certification Authorities”.

 

This unfortunately did not work for my RSA servers to access them i still need to use an old Internet Explorer version.

[alespinosadlm]

Unchech the “Scan encrypted connections” checkbox

[kboyle]

I resolved this issue by unchecking the “Scan encrypted connections” checkbox but that is too general a solution. I would like to provide exceptions for specific servers on my network that I access by IP address. How do I do that? IP addresses don’t work when I specify them as Tructed domains.

[Alex]

Unchech the “Scan encrypted connections” checkbox

 

 

I have the same issue with our vSphere, could you tell me how to permanently solve this issue?

[topher]

I also ran into the same issue.  I found the “Trusted Domains” exception would work for a hostname, but wouldn’t work for an IP Address.  So to work around the problem, I created DNS entries for those devices I used to only access via IP, and then excluded the those new DNS names.  For example, if your firewall is 192.168.1.1, I created a DNS entry for “firewall.domain.com” that pointed to 192.168.1.1.  Then added “firewall.domain.com” to the “Trusted Domain” exception list. 

[SUesbeck]

Hi,

we had the same problem with KES 11.2.

The “Trusted Domains” did not work with this release.

You can do an Upgrade to 11.3 / 11.4 then it will also work with IP Adresses.

 

Best regards

Sebastian

[Alex]

Hi,

we had the same problem with KES 11.2.

The “Trusted Domains” did not work with this release.

You can do an Upgrade to 11.3 / 11.4 then it will also work with IP Adresses.

 

Best regards

Sebastian

 

Where are Trusted Domains?

I only found Trusted Addresses or Applications.

[topher]

Hi,

we had the same problem with KES 11.2.

The “Trusted Domains” did not work with this release.

You can do an Upgrade to 11.3 / 11.4 then it will also work with IP Adresses.

 

Best regards

Sebastian

 

Where are Trusted Domains?

I only found Trusted Addresses or Applications.

From Kaspersky Security Center, open your policy and go to General Settings> Network Settings> “Trusted Domains” button.  At least that is what it shows on KSC 10, with a 11.2 policy.

[Alex]

From Kaspersky Security Center, open your policy and go to General Settings> Network Settings> “Trusted Domains” button.

 

I don’t have it

 

[SUesbeck]

Sorry, my mistake.

Trusted Adresses is correct, you can add IP´s or Domain Names there.

You can find it under General Settings → Network Settings.

I´m using a german interface, so i cannot give you the correct english name.