Scanning secure connections
January 10, 2024
Kaspersky Security can scan the traffic transmitted over secure connections that were established using the following protocols: TLS 1.3, TLS 1.2, TLS 1.1, TLS 1.0 and SSL 3.0.
The application does not monitor traffic that is transmitted over encrypted connections using the TLS 1.3 protocol, if the Encrypted Server Name Indication technology is used in TLS 1.3.
The application does not monitor traffic that is transmitted over encrypted connections using the SSL 2.0 protocol.
By default, Kaspersky Security intercepts the traffic, transmitted through the secure connections, decrypts it and sends it for scanning to the Mail Anti-Virus, the Web Anti-Virus, and the Web Control components. Kaspersky Security components process the traffic according to the configured settings.
If secure connections scan is disabled, application components have the following limitations:
- Mail Anti-Virus does not scan messages that are sent or received via the protocols that ensure encrypted data transfer.
- Web Anti-Virus does not scan web pages and files that are accessed over encrypted connections.
- While monitoring access to web resources over encrypted connections, Web Control does not apply access rules that use content filtering.
If an error occurs while scanning an encrypted connection, the connection with the web resource is terminated. By default, Kaspersky Security also adds the domain name of the web resource to the list of domains whose secure connections result in a scan error. All web resources of domains in this list are excluded from secure connections scans. When there is another attempt to access web resources of this domain, Kaspersky Security allows the connection to be established but does not decrypt and scan the traffic. You can configure the action that is taken by Kaspersky Security when a secure connection scan error occurs.
When decrypting the traffic, Kaspersky Security validates the certificate of the web resource, secure connection to which is being established. By default, Kaspersky Security allows a connection to be established when a certificate error is detected. However, if the connection is being established through a browser, a certificate error warning is displayed on the screen. You can configure the action that is taken by Kaspersky Security when a web resource certificate error is detected.
Kaspersky Security does not scan secure connections that are included in the list of predefined exclusions from secure connections scan. The list of predefined exclusions is generated by Kaspersky experts, is included into the Kaspersky Security application distribution kit, and is updated automatically when application databases are updated. You can view the list of predefined exclusions in the local interface of Light Agent for Windows.
You can also configure the following exclusions from secure connections scan:
- Exclusion of web resources of trusted domains. Kaspersky Security does not decrypt traffic and does not scan certificates of web resources if an encrypted connection is established with a web resource of a domain that has been added to the list of trusted domains.
- Exclusion of trusted applications. Kaspersky Security does not decrypt traffic and does not scan certificates of web resources if an encrypted connection is initiated by an application for which an encrypted traffic scan exclusion is configured.
When scanning secure connections, Kaspersky certificate is used. This certificate is automatically installed to the trusted certificates storage on the protected virtual machine when Kaspersky Security is installed, and is deleted when the application is removed.
Kaspersky Security changes the Mozilla Firefox browser settings on the protected virtual machine, for browser to use the system trusted certificates storage.