Configuring the encrypted connections scan settings

To configure the encrypted connections scan settings:

  1. In the lower part of the main application window, click the icon_settings button.
  2. In the application settings window, select Network settings.
  3. In the Encrypted connections scan section, select the encrypted connection scanning mode:
    • Do not scan encrypted connections Kaspersky Endpoint Security will not have access to the contents of websites whose addresses begin with https://.
    • Scan encrypted connections upon request from protection components. Kaspersky Endpoint Security will scan encrypted traffic only when requested by the File Threat Protection, Mail Threat Protection, and Web Control components.
    • Always scan encrypted connections Kaspersky Endpoint Security will scan encrypted network traffic even if protection components are disabled.

    Kaspersky Endpoint Security does not scan encrypted connections that were established by trusted applications for which traffic scanning is disabled. Kaspersky Endpoint Security does not scan encrypted connections from the predefined list of trusted websites. The predefined list of trusted websites is created by Kaspersky experts. This list is updated with the application's anti-virus databases. You can view the predefined list of trusted websites only in the Kaspersky Endpoint Security interface. You cannot view the list in the Kaspersky Security Center Console.

  4. If necessary, add scan exclusions: trusted addresses and applications.
  5. Click the Advanced settings button.
  6. Configure the settings for scanning encrypted connections (see the table below).
  7. Save your changes.

    Encrypted connections scan settings

    Parameter

    Description

    When visiting a domain with an untrusted certificate

    • Allow. If this option is selected, when visiting a domain with an untrusted certificate, Kaspersky Endpoint Security allows the network connection.

    When opening a domain with an untrusted certificate in a browser, Kaspersky Endpoint Security displays an HTML page showing a warning and the reason why visiting that domain is not recommended. A user can click the link from the HTML warning page to obtain access to the requested web resource. After following this link, during the next hour Kaspersky Endpoint Security will not display warnings about an untrusted certificate when visiting other resources on this same domain.

    • Block connection. If this option is selected, when visiting a domain with an untrusted certificate, Kaspersky Endpoint Security blocks the network connection.

    When opening a domain with an untrusted certificate in a browser, Kaspersky Endpoint Security displays an HTML page showing the reason why that domain is blocked.

    When encrypted connection scan errors occur

    • Block connection. If this item is selected, when an encrypted connection scan error occurs, Kaspersky Endpoint Security blocks the network connection.
    • Add domain to exclusions. If this item is selected, when an encrypted connection scan error occurs, Kaspersky Endpoint Security adds the domain that resulted in the error to the list of domains with scan errors and does not monitor encrypted network traffic when this domain is visited. You can view a list of domains with encrypted connections scan errors only in the local interface of the application. To clear the list contents, you need to select Block connection.

    Block SSL 2.0 connections

    If the check box is selected, Kaspersky Endpoint Security blocks network connections established over the SSL 2.0 protocol.

    If the check box is cleared, Kaspersky Endpoint Security does not block network connections established over the SSL 2.0 protocol and does not monitor network traffic transmitted over these connections.

    Decrypt encrypted connections with websites that use EV certificates

    EV certificates (Extended Validation Certificates) confirm the authenticity of websites and enhance the security of the connection. Browsers use a lock icon in their address bar to indicate that a website has an EV certificate. Browsers may also fully or partially color the address bar in green.

    If the check box is selected, Kaspersky Endpoint Security decrypts and monitors encrypted connections with websites that use an EV certificate.

    If the check box is cleared, Kaspersky Endpoint Security does not have access to the contents of HTTPS traffic. For this reason, the application monitors HTTPS traffic only based on the website address, for example, https://facebook.com.

    If you are opening a website with an EV certificate for the first time, the encrypted connection will be decrypted regardless of whether or not the check box is selected.

Page top