Excluding encrypted connections from scanning

Most web resources use encrypted connections. Kaspersky experts recommend that you enable Encrypted connections scan. If encrypted connections scan interferes with work-related activity, you can add a website to exclusions referred to as trusted addresses. If a trusted application uses an encrypted connection, you can disable encrypted connections scan for this application. For example, you can disable encrypted connections scan for cloud storage applications that use two-factor authentication with their own certificate.

To exclude a web address from encrypted connection scans:

  1. In the main application window, click the button icon_settings.
  2. In the application settings window, select General settingsNetwork settings.
  3. In the Encrypted connection scanning block, click the Trusted addresses button.
  4. Click the Add button.
  5. Enter a domain name or an IP address if you do not want Kaspersky Endpoint Security to scan encrypted connections established when visiting that domain.

    Kaspersky Endpoint Security supports the * character for entering a mask in the domain name.

    Kaspersky Endpoint Security does not support masks for IP addresses. You can enter a range of IP addresses in the local application interface (for example, 198.51.100.0/24). You cannot enter a range of IP addresses in the Kaspersky Security Center console.

    Examples:

    • domain.com – the record is inclusive of the following addresses: https://domain.com, https://www.domain.com, https://domain.com/page123. The record is exclusive of subdomains (for example, subdomain.domain.com).
    • subdomain.domain.com – the record is inclusive of the following addresses: https://subdomain.domain.com, https://subdomain.domain.com/page123. The record is exclusive of the domain.com domain.
    • *.domain.com – the record is inclusive of the following addresses: https://movies.domain.com, https://images.domain.com/page123. The record is exclusive of the domain.com domain.
  6. Save your changes.

By default, Kaspersky Endpoint Security does not scan encrypted connections when errors occur and adds the website to a special list of Domains with scan errors. Kaspersky Endpoint Security compiles a separate list for each user and does not send data to Kaspersky Security Center. You can enable blocking the connection when a scan error occurs. You can view a list of domains with encrypted connections scan errors only in the local interface of the application.

To view the list of domains with scan errors:

  1. In the main application window, click the button icon_settings.
  2. In the application settings window, select General settingsNetwork settings.
  3. In the Encrypted connection scanning block, click the Domains with scan errors button.

A list of domains with scan errors opens. To reset the list, enable blocking connection when scan errors occur in the policy, apply the policy, then reset the parameter to its initial value and apply the policy again.

Kaspersky specialists make a list of global exceptions — trusted websites that Kaspersky Endpoint Security does not check regardless of the application settings.

To view the global exclusions from encrypted traffic scans:

  1. In the main application window, click the button icon_settings.
  2. In the application settings window, select General settingsNetwork settings.
  3. In the Encrypted connection scanning block, click the list of trusted websites link.

This opens a list of websites compiled by Kaspersky experts. Kaspersky Endpoint Security does not scan protected connections for websites on the list. The list may be updated when Kaspersky Endpoint Security databases and modules are updated.

Page top