How to configure the Encrypted connections scan

The settings for the encrypted connections scan are used by the Web Threat Protection component. The Web Threat Protection component can decrypt and inspect network traffic sent over secure connections.

The encrypted connections scan is enabled by default. You can disable or enable the encrypted connections scan at any time.

By modifying the encrypted connections scan settings, you can:

• Select the action to be performed by the application upon detection of an untrusted certificate.
• Select the action to be performed when an encrypted connections scan error occurs on a website.
• Enable or disable the use of the Internet for certificate verification.
• View and configure a list of trusted domains.

  The application will not scan encrypted connections established when visiting listed domains.

• Configure a list of certificates that the application will consider trusted when performing an encrypted connections scan.
• Configure a list of network ports to be monitored by the application.

  You can specify the network ports or network port ranges to be monitored.

When the encrypted connections scan settings are changed, the application records a NetworkSettingsChanged event in the log file.

Special administration commands are provided in the command line for administering the settings for the encrypted connections scan. Using the commands for managing the settings for the encrypted connections scan, you can:

• Configure settings for the encrypted connections scan.
• View exclusions from the encrypted connections scan.
• Clear the list of domains that the application automatically excluded from the scan.
• Manage the list of certificates that the application considers to be trusted.

If the encrypted connections scan is enabled, you cannot see the information about the real security certificate of the server you are connecting to.

If you try to connect to a server that does not support the encrypted connections scan, the application will not be able to scan the encrypted connection with that server.

The application does not scan encrypted connections in the following cases:

• The server you are connecting to uses protocols that the application does not support.
• The server you are connecting to does not support the encrypted connection scan.
• The domain of the server you are connecting to is in your list of exclusions.
• None of the protection components of the Kaspersky application have requested traffic decryption.
• The connection is made using the legacy SSL 2.0 protocol.

How to view and edit Encrypted connections scan settings

You can view and edit the encrypted connections scan settings. You can use special management commands to do the following:

• Output the current values of the settings for the encrypted connections scan to the console or to a configuration file.

  You can use the configuration file to edit the settings.

• Edit all the settings for the encrypted connections scan using the configuration file that contains the settings.

  You can get the configuration file using the command for displaying settings for the encrypted connections scan.

• Edit individual settings using command line options in the format <setting name>=<setting value>.

  You can get the current values of the settings using the command for displaying the settings for the encrypted connections scan.

To output the current values of the settings of the encrypted connections scan to the console, execute the following command:

kfl-control --get-net-settings [--json]

where --json is specified to output the settings in JSON format. If the --json option is not specified, the settings are output in the INI format.

To output the current values of the settings for the encrypted connections scan to a configuration file, execute the following command:

kfl-control --get-net-settings --file <configuration file path> [--json]

where:

• --file <configuration file path> is the path to the configuration file where the settings for the encrypted connections scan will be saved. If you specify the name of a file without specifying its path, the file will be created in the current directory. If a file with the specified name already exists in the specified path, it will be overwritten. If the specified directory cannot be found on the disk, file will not be created.
• --json is specified to output the settings in JSON format. If the --json option is not specified, the settings are output in the INI format.

To edit the values of the settings for the encrypted connections scan using a configuration file:

1. Output the general application settings to a configuration file, as described above.
2. Edit the values of the necessary parameters in the file and save the changes.
3. Execute the command:

   kfl-control --set-net-settings --file <configuration file path> [--json]

   where:

   • --file <configuration file path> is the full path to the configuration file with the settings for the encrypted connections scan.
   • --json imports settings from a JSON configuration file into the application. If the --json option is not specified, the application attempts to import from an INI file. If the import fails, an error is displayed.

All the values of the settings for the encrypted connections scan defined in the file will be imported into the application.

To edit the values of the settings for the encrypted connections scan using the command line, execute the following command:

kfl-control --set-net-settings <setting name>=<setting value> [<setting name>=<setting value>]

where <setting name>=<setting value> is the name and value of one of the settings for the encrypted connections scan.

The values of the specified settings for the encrypted connections scan will be changed.

How to view exclusions from the encrypted connections scan

You can view the following lists of exclusions from the encrypted connections scan:

• a list of exclusions added by the user;
• a list of exclusions added by the application;
• list of exclusions received from the application databases.

To view the list of secure connection scan exclusions added by a user, execute the following command:

kfl-control -N --query user

To view the list of secure connection scan exclusions added by a user, execute the following command:

kfl-control -N --query auto

To view the list of secured connection scan exclusions received from the application databases, execute the following command:

kfl-control -N --query kl

To clear a list of domains that the application automatically excluded from scan, execute the following command:

kfl-control -N --clear-web-auto-excluded

How to manage the list of trusted certificates

To add a certificate to the trusted certificate list, run the following command:

kfl-control --add-certificate <path to certificate>

where:

<path to certificate> is the path to the certificate file that you want to add (PEM or DER format).

To remove a certificate from the trusted certificate list, run the following command:

kfl-control --remove-certificate <certificate subject>

To view the list of trusted certificates, execute the following command:

kfl-control --list-certificates

The following information is displayed for each certificate:

• certificate subject
• serial number
• certificate issuer
• certificate start date
• certificate expiration date
• SHA256 certificate fingerprint

To communicate with web resources signed with certificates of the National Certification Authority of the Ministry of Digital Development, Communications and Mass Media of the Russian Federation, you need to install the root certificates of the National Certification Authority on your device.

Ministry of Digital Development, Communications and Mass Media certificates are not included in the distribution kit of the Kaspersky application.