Kaspersky and MalwareTips

SeriousHoax

SeriousHoax

Level 51
Verified
Top Poster
Well-known
Mar 16, 2019
4,058
Parkinsond said:
I have already decided to ditch Kaspersky and to revert back to Microsoft defender.
Only Avast-AVG can scan https and QUIC without inserting their certificate.
Click to expand...
Kaspersky was experimenting with the same method used by Avast-AVG in their last beta but didn't push this change to the final version. Maybe they'll test again in the next beta.
I asked ESET if they would consider the same method and Marcos from ESET forum told me,
There has already been an internal discussion about this, and the cons substantially outweigh the benefits. We've also tested one of the mentioned AVs, and as we assumed, a malicious connection was not blocked, just reported while with ESET, it would have been blocked. This topic is still open, and if there is a way to perform SSL filtering differently without any negative effects on security, we will definitely consider it.
Click to expand...
I don't know how much truth is in that but I'm pretty sure that there must be some considerable downsides. Otherwise, everyone else would've opted for that method a long time ago.
 
Last edited:
  • Like
  • +Reputation
Reactions: Gandalf_The_Grey, Miravi, Trident and 3 others
SeriousHoax

SeriousHoax

Level 51
Verified
Top Poster
Well-known
Mar 16, 2019
4,058
Parkinsond said:
How it is possible to block malicious connections without scanning encrypted https traffic?
Click to expand...
The process of decrypting secured HTTPS traffic to scan the whole content loaded by a website is known as HTTPS/SSL scanning by AV vendors. Even without decryption, any attempt to visit a known malicious/phishing host can still be blocked by those AVs.
Decryption is mainly useful if a compromised websites HTML contains malicious code which you can't see without the AV being the Man in the Middle. But I'm sure most websites you visit regularly are not compromised with malware. So, it's not the most useful feature in most situations and can be disabled if you're not a super-risky user. Disabling it also increases browsing speed.
 
  • Like
  • +Reputation
Reactions: roger_m, Miravi, Trident and 3 others
Minimalist

Minimalist

Level 10
Verified
Well-known
Oct 2, 2020
485
SeriousHoax said:
This is correct and this is something Bitdefender also do. Even in some pirated sports streaming sites that I often visit are not SSL scanned because of this reason.
BTW, ESET does HTTPS scanning on MalwareTips for me on MS Edge but doesn't do on Firefox.
For Edge, if I clean cookies, cache, reopen the browser and visit MT then on first visit HTTPS scanning is not performed but for all subsequent visits there is always ESET's certificate on Edge. This exact behavior at least on Edge is not new. I have been seeing this for many years.
On Firefox the QUIC version of MT is loaded while on Edge it's TLS 1.3 (excluding first visit). In Chromium browsers, using self-signing certificate to filter QUIC traffic is not allowed yet, so it has to be either forced to load TLS 1.3 or no HTTPS scanning on the site. On Firefox, filtering QUIC with self-signing certificate is allowed. Maybe this is where the difference is coming from. But I can't tell for sure why.
Kaspersky cannot filter QUIC at all, so they force downgrade everything to TLS 1.3 on all browsers.
Click to expand...
I've made some additional tests and disabled QUIC in Firefox and disabled whitelisting and now all websites have their conneection decrypted by ESET. So it seems that it doesn't handle that protocol the same way as TLS. Although they have option to disable/enable HTTP/3 traffic scanning.
 
  • Like
Reactions: Miravi, simmerskool, Parkinsond and 1 other person
Parkinsond

Parkinsond

Level 3
Thread author
Dec 6, 2023
103
Minimalist said:
I've made some additional tests and disabled QUIC in Firefox and disabled whitelisting and now all websites have their conneection decrypted by ESET. So it seems that it doesn't handle that protocol the same way as TLS. Although they have option to disable/enable HTTP/3 traffic scanning.
Click to expand...
Only Avast-AVG can handle QUIC
 
  • Like
Reactions: Minimalist
Minimalist

Minimalist

Level 10
Verified
Well-known
Oct 2, 2020
485
SeriousHoax said:
The process of decrypting secured HTTPS traffic to scan the whole content loaded by a website is known as HTTPS/SSL scanning by AV vendors. Even without decryption, any attempt to visit a known malicious/phishing host can still be blocked by those AVs.
Decryption is mainly useful if a compromised websites HTML contains malicious code which you can't see without the AV being the Man in the Middle. But I'm sure most websites you visit regularly are not compromised with malware. So, it's not the most useful feature in most situations and can be disabled if you're not a super-risky user. Disabling it also increases browsing speed.
Click to expand...
That's true and it can (probably slightly) affect protection at least for ESET.
If I have traffic scanning enabled it can find some "suspicious" website objects that are not "detected" if scanning is disabled. One such example is on their welivesecurity website as shown below. Files are sent for analysis only if traffic scanning is enabled. ( I know that those are harmless: probably just configuration files posted in text that trigger that behaviour).

1746460311723.png
 
  • Like
Reactions: simmerskool and SeriousHoax
SeriousHoax

SeriousHoax

Level 51
Verified
Top Poster
Well-known
Mar 16, 2019
4,058
Minimalist said:
I've made some additional tests and disabled QUIC in Firefox and disabled whitelisting and now all websites have their conneection decrypted by ESET. So it seems that it doesn't handle that protocol the same way as TLS. Although they have option to disable/enable HTTP/3 traffic scanning.
Click to expand...
Good find. Only ESET would know the exact reason.
Parkinsond said:
Only Avast-AVG can handle QUIC
Click to expand...
ESET added QUIC filtering support last year.
1746460486156.png
 
  • Like
  • +Reputation
Reactions: Trident, Minimalist and Parkinsond
SeriousHoax

SeriousHoax

Level 51
Verified
Top Poster
Well-known
Mar 16, 2019
4,058
Minimalist said:
That's true and it can (probably slightly) affect protection at least for ESET.
If I have traffic scanning enabled it can find some "suspicious" website objects that are not "detected" if scanning is disabled. One such example is on their welivesecurity website as hown below. Files are sent for analysis only if traffic scanning is enabled. ( I know that those are harmless: probably just configuration files posted in text that trigger that behaviour).

View attachment 288450
Click to expand...
Yeah, true. This happens sometimes. It happens most of the time when I update something in my GitHub and if I open those in raw format then ESET sends them to LiveGrid.
 
  • Like
  • +Reputation
Reactions: Trident, simmerskool and Minimalist
Parkinsond

Parkinsond

Level 3
Thread author
Dec 6, 2023
103
Tried to add exclusion of Facebook, Twitter, Youtube and others.
It worked for all, but Youtube.
Kaspersky behavior regarding encrypted connection scan is a little bit inconsistent.
 

Similar threads

Mackiwi
Solved Chrome browser changes search results within seconds and to poorer results
Replies
10
Views
940
Windows Malware Removal Help & Support
icotonev
icotonev
bjm_
    • Like
    • Thanks
New Update Sandboxie-Plus v1.11.2
Replies
0
Views
888
Sandboxie
bjm_
bjm_
enaph
    • Like
    • +Reputation
    • Wow
Security News Fake Avast Antivirus Sites Are Spreading SpyNote Android Malware
Replies
1
Views
729
Security News
Studynxx
S

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top