Configuring secure connections scan settings

You can configure secure connections scan settings through Kaspersky Security Center or in the local interface of Light Agent for Windows.

To configure secure connections scan settings in Kaspersky Security Center:

  1. Open Kaspersky Security Center Administration Console.
  2. In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
  3. In the workspace, select the Policies tab.
  4. Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
  5. In the policy properties window, select the Network traffic monitoring section in the list on the left.
  6. In the right part of the window, in the Secure connections scan section, click the Scan settings button.
  7. In the Secure connections scan settings window that opens, select the action that Kaspersky Security performs when a web resource certificate error is detected:
    • Allow. Kaspersky Security allows a connection to be established with the web resource.

      If the connection is established through a browser and you attempt to access a website with a certificate error, you will see an HTML page containing a warning that visiting the website is not recommended, and a description of the detected certificate error. You can click the link on the HTML page to proceed to the requested website. For a period of an hour after clicking the link, Kaspersky Security will not display warnings for the certificate error of this website or when requesting other web resources in the same domain.

      This action is selected by default.

    • Block. Kaspersky Security blocks the connection with the web resource.

      If the connection is established through a browser and you attempt to access a website with a certificate error, you will see an HTML page containing a warning that the website is blocked, and a description of the detected certificate error.

  8. Select the action that Kaspersky Security performs when secure connections scan errors occur:
    • Exclude domain from scanning. If scan of a secure connection with a web resource ends with an error, Kaspersky Security adds the web resource domain to the list of domains with secure connection errors. All web resources of domains in this list are excluded from secure connections scans. When there is another attempt to access web resources of this domain, Kaspersky Security allows the connection to be established but does not decrypt and scan the traffic.

      This action is selected by default.

      The list of domains with secure connections scan errors can be viewed in the Secure connections scan settings window in the local interface of Light Agent for Windows.

    • Terminate connection. If a scan of a secure connection with a web resource ends with an error, Kaspersky Security blocks all subsequent attempts to connect to this web resource.

      If you selected the Terminate connection action, all domains previously added to the list of domains with secure connections scan errors are automatically deleted from this list.

  9. If you want Kaspersky Security to block connections that are established using the TLS 1.0, SSL 2.0, and SSL 3.0 protocols, select the Block TLS 1.0, SSL 2.0 and SSL 3.0 connections (recommended) check box.

    By default, Kaspersky Security does not block network connections that are established using the TLS 1.0, SSL 2.0 and SSL 3.0 protocols. In this case, Kaspersky Security monitors network traffic transmitted over connections that are established using the TLS 1.0 and SSL 3.0 protocols. Network traffic transmitted using the SSL 2.0 protocol is not monitored.

    The TLS 1.0, SSL 2.0, and SSL 3.0 protocols have some flaws affecting the security of data transfer.

  10. In the Secure connections scan settings window, click OK.
  11. Click the Apply button.

To configure the secure connections scan settings in the local interface:

  1. On the protected virtual machine, open the application settings window.
  2. In the left part of the window, in the Other settings section, select Network traffic monitoring.

    In the right part of the window the settings for Network Ports Monitoring and for Scanning Secure Connections are displayed.

    If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.

  3. Complete steps 6–10 of the previous instructions.

    Click the Domains with scan errors link in the Secure connections scan settings window to view the list of domains whose secure connections result in a scan error.

  4. To save changes, click the Save button.
Page top