Excluding encrypted connections from scanning
Most web resources use encrypted connections. Kaspersky experts recommend that you enable Encrypted connections scan. If encrypted connections scan interferes with work-related activity, you can add a website to exclusions referred to as trusted addresses. In this case, Kaspersky Endpoint Security does not scan HTTPS traffic of trusted web addresses when Web Threat Protection, Mail Threat Protection, Web Control components are doing their work.
If a trusted application uses an encrypted connection, you can disable encrypted connections scan for this application. For example, you can disable encrypted connections scan for cloud storage applications that use two-factor authentication with their own certificate.
How to exclude a web address from encrypted connection scans in the Administration Console (MMC)
- Open the Kaspersky Security Center Administration Console.
- In the console tree, select Policies.
- Select the necessary policy and double-click to open the policy properties.
- In the policy window, select General settings → Network settings.
- In the Encrypted connections scan block, click the Configure trusted addresses button.
- Click Add.
- Enter a domain name or an IP address if you do not want Kaspersky Endpoint Security to scan encrypted connections established when visiting that domain.
Kaspersky Endpoint Security supports the *
character for entering a mask in the domain name.
Kaspersky Endpoint Security does not support the *
symbol for IP addresses. You can select a range of IP addresses using a subnet mask (for example, 198.51.100.0/24).
Examples:
domain.com
– the record is inclusive of the following addresses: https://domain.com
, https://www.domain.com
, https://domain.com/page123
. The record is exclusive of subdomains (for example, subdomain.domain.com
).subdomain.domain.com
– the record is inclusive of the following addresses: https://subdomain.domain.com
, https://subdomain.domain.com/page123
. The record is exclusive of the domain.com
domain.*.domain.com
– the record is inclusive of the following addresses: https://movies.domain.com
, https://images.domain.com/page123
. The record is exclusive of the domain.com
domain.
- Save your changes.
How to exclude a web address from encrypted connection scans in Web Console and Cloud Console
- In the main window of the Web Console, select Devices → Policies & profiles.
- Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
- Select the Application settings tab.
- Go to General settings → Network Settings.
- In the Encrypted connections scan block, click the Configure trusted addresses button.
- Click Add.
- Enter a domain name or an IP address if you do not want Kaspersky Endpoint Security to scan encrypted connections established when visiting that domain.
Kaspersky Endpoint Security supports the *
character for entering a mask in the domain name.
Kaspersky Endpoint Security does not support the *
symbol for IP addresses. You can select a range of IP addresses using a subnet mask (for example, 198.51.100.0/24).
Examples:
domain.com
– the record is inclusive of the following addresses: https://domain.com
, https://www.domain.com
, https://domain.com/page123
. The record is exclusive of subdomains (for example, subdomain.domain.com
).subdomain.domain.com
– the record is inclusive of the following addresses: https://subdomain.domain.com
, https://subdomain.domain.com/page123
. The record is exclusive of the domain.com
domain.*.domain.com
– the record is inclusive of the following addresses: https://movies.domain.com
, https://images.domain.com/page123
. The record is exclusive of the domain.com
domain.
- Save your changes.
How to exclude a web address from encrypted connection scans in the application interface
- In the main application window, click the button.
- In the application settings window, select General settings → Network settings.
Application network settings
- In the Encrypted connections scan block, click the Configure trusted addresses button.
- Click Add.
- Enter a domain name or an IP address if you do not want Kaspersky Endpoint Security to scan encrypted connections established when visiting that domain.
Kaspersky Endpoint Security supports the *
character for entering a mask in the domain name.
Kaspersky Endpoint Security does not support the *
symbol for IP addresses. You can select a range of IP addresses using a subnet mask (for example, 198.51.100.0/24).
Examples:
domain.com
– the record is inclusive of the following addresses: https://domain.com
, https://www.domain.com
, https://domain.com/page123
. The record is exclusive of subdomains (for example, subdomain.domain.com
).subdomain.domain.com
– the record is inclusive of the following addresses: https://subdomain.domain.com
, https://subdomain.domain.com/page123
. The record is exclusive of the domain.com
domain.*.domain.com
– the record is inclusive of the following addresses: https://movies.domain.com
, https://images.domain.com/page123
. The record is exclusive of the domain.com
domain.
- Save your changes.
By default, Kaspersky Endpoint Security does not scan encrypted connections when errors occur and adds the website to a special list of Domains with scan errors. Kaspersky Endpoint Security compiles a separate list for each user and does not send data to Kaspersky Security Center. You can enable blocking the connection when a scan error occurs. You can view a list of domains with encrypted connections scan errors only in the local interface of the application.
To view the list of domains with scan errors:
- In the main application window, click the button.
- In the application settings window, select General settings → Network settings.
- In the Encrypted connections scan block, click the Domains with scan errors button.
A list of domains with scan errors opens. To reset the list, enable blocking connection when scan errors occur in the policy, apply the policy, then reset the parameter to its initial value and apply the policy again.
Kaspersky specialists make a list of global exceptions — trusted websites that Kaspersky Endpoint Security does not check regardless of the application settings.
To view the global exclusions from encrypted traffic scans:
- In the main application window, click the button.
- In the application settings window, select General settings → Network settings.
- In the Encrypted connections scan block, click the list of trusted websites link.
This opens a list of websites compiled by Kaspersky experts. Kaspersky Endpoint Security does not scan protected connections for websites on the list. The list may be updated when Kaspersky Endpoint Security databases and modules are updated.
Page top