Contents
Encrypted connections scan
The settings for the encrypted connections scan are used by the Web Threat Protection component. The Web Threat Protection component can decrypt and inspect network traffic sent over secure connections. The encrypted connections scan is enabled by default.
You can enable or disable the encrypted connections scan, and also configure the scan settings:
- Select the action to be performed by the application upon detection of an untrusted certificate.
- Select the action to be performed when an encrypted connections scan error occurs on a website.
- Enable or disable the use of the Internet for certificate verification.
- View and configure a list of trusted domains. The application will not scan encrypted connections established when visiting specified domains.
- Configure a list of root certificates that the application will consider trusted when performing an encrypted connections scan.
- Configure a list of network ports to be monitored by the application. You can specify the network ports or network port ranges to be monitored.
When the encrypted connections scan settings are changed, the application records a NetworkSettingsChanged event in the log file.
Configuring encrypted connections scan in the Web Console
In the Web Console, you can configure settings for encrypted connections scans in the policy properties (Application settings → General settings → Network settings).
Encrypted connections scan settings
Setting |
Description |
|---|---|
Encrypted connections scan is enabled / disabled |
This toggle switch enables or disables the encrypted connections scan. The check toggle button is switched on by default. |
Trusted root certificates |
Clicking Manage trusted root certificates opens the Trusted root certificates window, in which you can configure the list of trusted certificates. The list is used when scanning encrypted connections. |
Visiting a domain with an untrusted certificate |
You can select the action that the application performs when a domain with an untrusted certificate is visited:
|
Visiting a domain with an encrypted connections scan error |
You can select the action that the application performs when a domain with an encrypted connections scan error is visited:
|
Certificate verification policy |
You can select how the application verifies certificates:
|
Trusted domains |
Clicking Configure trusted domains opens the Trusted domains window, in which you can configure the list of trusted domain names. |
Monitor all network ports |
If this option is selected, the application monitors all network ports. |
Monitor selected network ports only |
If this option is selected, the application monitors only the network ports specified in the Monitored ports window. This option is selected by default. |
Monitored ports |
Clicking the Configure network port settings link opens the Monitored ports window, where you can specify the network ports to be monitored by the application. |
Trusted certificates window
You can configure a list of root certificates considered trusted by Kaspersky Embedded Systems Security. The list of trusted root certificates is used when scanning encrypted connections.
The following information is displayed for each certificate:
- certificate subject
- certificate serial number
- certificate issuer
- certificate start date
- certificate expiration date
- SHA256 certificate fingerprint
By default, the certificate list is empty.
You can add and remove certificates.
Adding a trusted certificate window
In this window, you can add a certificate to the list of trusted certificates.
The Add certificate link opens the standard file selection window. Indicate the path to the file that contains the certificate, in DER or PEM format.
After the certificate file is selected, the window displays certificate information and the file path.
Page topTrusted domains window
This list contains the domain names and domain name masks that will be excluded from encrypted connection scans.
Example: *example.com. For example, *example.com/* is incorrect because a domain address, not a web page, needs to be specified.
By default, the list is empty.
You can add, edit and remove domains from the list of trusted domains.
Page topMonitored ports
The table contains network ports that the application must monitor if in the Network settings window, under Monitored port, the Monitor selected network ports only option is selected.
The table contains two columns:
- Port – monitored port.
- Description – description of the monitored port.
By default, the table displays a list of network ports that are usually used for the transmission of mail and network traffic. The list of network ports is included in the application package.
You can add, edit, and delete items in the table.
Page topConfiguring encrypted connections scan in the Administration Console
In the Administration Console, you can configure settings for encrypted connections scans in the policy properties (General settings → Network settings).
Encrypted connections scan settings
Setting |
Description |
|---|---|
Enable encrypted connections scan |
This check box enables or disables the encrypted connections scan. The check box is selected by default. |
Visiting a domain with an untrusted certificate |
In the drop-down list, you can select the action that the application performs when a domain with an untrusted certificate is visited:
|
Visiting a domain with an encrypted connections scan error |
In the drop-down list, you can select the action that the application performs when a domain with an encrypted connections scan error is visited:
|
Certificate verification policy |
In the drop-down list, you can select how the application verifies certificates:
|
Trusted domains |
This group of settings contains the Configure button, which opens the Trusted domains window, where you can configure the list of trusted domain names. |
Trusted root certificates |
This group of settings contains the Configure button, which opens the Trusted root certificates window, where you can configure the list of trusted root certificates. The list is used when scanning encrypted connections. |
Network ports settings |
This group of settings contains the Configure button. Clicking this button opens the Monitored ports window. |
Trusted domains window
This list contains the domain names and domain name masks that will be excluded from encrypted connection scans.
Example: *example.com. For example, *example.com/* is incorrect because a domain address, not a web page, needs to be specified.
By default, the list is empty.
You can add, edit and remove domains from the list of trusted domains.
Page topTrusted certificates window
You can configure a list of root certificates considered trusted by Kaspersky Embedded Systems Security. The list of trusted root certificates is used when scanning encrypted connections.
The following information is displayed for each certificate:
- certificate subject
- certificate serial number
- certificate issuer
- certificate start date
- certificate expiration date
- SHA256 certificate fingerprint
By default, the certificate list is empty.
You can add and remove certificates.
Page topAdding certificate window
In this window, you can add a certificate to the trusted certificate list in one of the following ways:
- Indicate the path to the certificate file. The Browse button opens the standard file selection window. Indicate the path to the file that contains the certificate, in DER or PEM format.
- Copy the contents of the certificate file to the Enter certificate details field.
Monitored ports
Network ports settings
Setting |
Description |
|---|---|
Monitor all network ports |
If this option is selected, the application monitors all network ports. |
Monitor selected network ports only |
If this option is selected, the application monitors only the network ports specified in the table. This option is selected by default. |
Network ports settings |
This table contains network ports monitored by the application if the Monitor selected network ports only option is selected. The table contains two columns:
By default, the table displays a list of network ports that are usually used for the transmission of mail and network traffic. The list of network ports is included in the application package. |
Configuring encrypted connections scan in the command line
Special administration commands are provided in the command line for administering the settings for the encrypted connections scan. Using the commands for managing the settings for the encrypted connections scan, you can:
- Configure settings for the encrypted connections scan.
- View exclusions from the encrypted connections scan.
- Clear the list of domains that the application automatically excluded from the scan.
- Configure the list of trusted root certificates that the application uses when scanning encrypted connections.
Viewing and editing settings for encrypted connections scan
Using the commands for managing the settings for the encrypted connections scan, you can:
- Output the current values of the settings for the encrypted connections scan to the console or to a configuration file. You can use this file to edit the settings.
- Edit all the settings for the encrypted connections scan using the configuration file that contains the settings. You can get the configuration file using the command for displaying settings for the encrypted connections scan.
- Edit individual settings using command line options in the format
<setting name>=<setting value>. You can get the current values of the settings using the command for displaying the settings for the encrypted connections scan.
To output the current values of the settings of the encrypted connections scan to the console, execute the following command:
kess-control --get-net-settings [--json]
where --json is specified to output the settings in JSON format. If the --json option is not specified, the settings are output in the INI format.
To output the current values of the settings for the encrypted connections scan to a file, execute the following command:
kess-control --get-net-settings --file <path to configuration file> [--json]
where:
--file <configuration file path>is the path to the configuration file where the settings for the encrypted connections scan will be saved. If you specify the name of a file without specifying its path, the file will be created in the current directory. If a file with the specified name already exists in the specified path, it will be overwritten. If the specified directory cannot be found on the disk, file will not be created.--jsonis specified to output the settings in JSON format. If the--jsonoption is not specified, the settings are output in the INI format.
To edit the values of the settings for the encrypted connections scan using a configuration file:
- Output the general application settings to a configuration file, as described above.
- Edit the values of the necessary parameters in the file and save the changes.
- Execute the command:
kess-control --set-net-settings --file <path to configuration file> [--json]where:
--file <configuration file path>is the full path to the configuration file with the settings for the encrypted connections scan.--jsonis specified to import the settings from the configuration file into the application in JSON format. If the--jsonoption is not specified, the application attempts to import from an INI file. If the import fails, an error is displayed.
All the values of the settings for the encrypted connections scan defined in the file will be imported into the application.
To edit the values of the settings for the encrypted connections scan using the command line, execute the following command:
kess-control --set-net-settings <setting name>=<setting value> [<setting name>=<setting value>]
where <setting name>=<setting value> is the name and value of one of the settings for the encrypted connections scan.
The values of the specified settings for the encrypted connections scan will be changed.
Page topViewing exclusions from encrypted connections scan
You can view the following lists of exclusions from the encrypted connections scan:
- a list of exclusions added by the user;
- a list of exclusions added by the application;
- list of exclusions received from the application databases.
To view the list of secure connection scan exclusions added by a user, execute the following command:
kess-control -N --query user
To view the list of secure connection scan exclusions added by a user, execute the following command:
kess-control -N --query auto
To view the list of secured connection scan exclusions received from the application databases, execute the following command:
kess-control -N --query kl
To clear a list of domains that the application automatically excluded from scan, execute the following command:
kess-control [-N] --clear-web-auto-excluded
Managing the list of trusted root certificates
To add a certificate to the list of trusted root certificates, run the following command:
kess-control --add-certificate <path to certificate>
where:
<path to certificate> is the path to the certificate file that you want to add (PEM or DER format).
To remove a certificate from the list of trusted root certificates, run the following command:
kess-control --remove-certificate <certificate subject>
To view the list of trusted root certificates, execute the following command:
kess-control --list-certificates
The following information is displayed for each certificate:
- certificate subject
- serial number
- certificate issuer
- certificate start date
- certificate expiration date
- SHA256 certificate fingerprint