Scanning encrypted connections with an untrusted certificate
After installation, Kaspersky Endpoint Security adds a Kaspersky certificate to the system storage for trusted certificates (Windows certificate store). Kaspersky Endpoint Security uses this certificate to scan encrypted connections. When visiting a domain with an untrusted certificate, you can allow or deny user access to that domain (see the instructions below).
If you have allowed the user to visit domains with untrusted certificates, Kaspersky Endpoint Security performs the following actions:
When visiting a domain with an untrusted certificate in the browser, Kaspersky Endpoint Security uses the Kaspersky certificate to scan traffic. Kaspersky Endpoint Security displays a HTML page with a warning and information about the reason why it is not recommended to visit the relevant domain (see the figure below). A user can click the link from the HTML warning page to obtain access to the requested web resource. After following this link, during the next hour Kaspersky Endpoint Security will not display warnings about an untrusted certificate when visiting other resources on this same domain. Kaspersky Endpoint Security also generates an event about establishing an encrypted connection with an untrusted certificate.
If a third-party application or service establishes a connection with a domain with an untrusted certificate, Kaspersky Endpoint Security creates its own certificate to scan traffic. The new certificate has the Untrusted status. This is necessary to warn the third-party application about the untrusted connection because the HTML page cannot be shown in this case and the connection can be established in background mode. Therefore, if a third-party application has built-in certificate verification tools, the connection may be terminated. In that case, you must contact the owner of the domain and set up a trusted connection. If setting up a trusted connection is impossible, you can add that third-party application to the list of trusted applications. Kaspersky Endpoint Security also generates an event about establishing an encrypted connection with an untrusted certificate.
Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select General settings → Network settings.
In the Encrypted connections scan block, click the Advanced Settings button.
This opens a window; in that window, select the application operating mode when visiting a domain with an untrusted certificate: Allow or Block connection.
In the main window of the Web Console, select Devices → Policies & Profiles.
Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
Select the Application settings tab.
Go to General settings → Network settings.
Under Encrypted connections scan, select the application operating mode when visiting a domain with an untrusted certificate: Allow or Block connection.
In the application settings window, select General settings → Network settings.
Under Encrypted connections scan, select the application operating mode when visiting a domain with an untrusted certificate: Allow or Block connection.
Save your changes.
Warning about visiting a domain with an untrusted certificate