Secure Transport Protocols

Copy current article URL Share via email

This article (PDF) Whole documentation (PDF)

Secure transport protocols (SSL/TLS) enable Web Access Protection and Email Client Protection to monitor data transmitted through secure protocols, such as HTTPS, POP3S or IMAPS.

Filtering Mode

Use the selector to choose Filtering Mode for Secure Transport Protocols, the choices are Automatic and Policy-based.

Automatic Filtering Mode

In Automatic mode, SSL/TLS filtering is only active for applications that are automatically selected, such as web browsers and email clients. You can customize this behavior for each application or server certificate in the Action Rules settings.

Policy-based Filtering Mode

In Policy-based mode, all SSL/TLS connections are filtered except those you configure as exclusions. You can exclude specific applications or server certificates in the Action Rules settings.

Action Rules

SSL/TLS action rules enable you to customize how specific applications and certificates are handled during content scanning. You can choose to allow, block or exclude them based on your needs.

Application Rules

Application scan rules enable you to customize how your ESET security product handles specific applications communicating over SSL/TLS protocols. Applications specified here will be excluded from future scanning. Only exclude an application if you are certain you trust it, as doing otherwise could expose your device to security risks.

You can the add a new application scan rule by clicking the + sign or remove an existing rule by clicking the - sign, additionally if you right-click a rule you get an option to edit it. When you click the + sign a new window opens up where you will specify the path to an application you selected. Once the application path is specified, select the scan action for this specific application. Scan actions are listed below:

Auto

•Depends on SSL/TLS filtering mode.

Scan

•Scan secure communication for the application.

Ignore

•Exclude secure communication from scanning for the application.

Using wildcards

Some applications use hidden helper binaries for communication and the exact application path might be difficult to find. Additionally, the internal paths can change when application self-updates. To make sure the path to application in your application rules is correct, it is recommended to use wildcards:

1.Add "*" at the end of the file path. Example: /Applications/Opera.app*.

2.If a Path Not Found window appears, select Use Anyway and click OK.

Certificate Rules

Certificate scan rules enable you to customize how your ESET security product handles specific certificates used in SSL/TLS communications. Only exclude a certificate if you trust its issuer, as excluding untrusted certificates could expose your device to security risks.

You can the add a new certificate rule by clicking the + sign or remove an existing rule by clicking the - sign, additionally if you right-click a rule you get an option to edit it. When you click the + sign a new window opens up where you specify actions to be performed for communications encrypted by a specified certificate. You can import the certificate by using drag-and-drop, selecting it from the context menu, or by importing it from URL. Once you import the certificate, the certificate name, issuer and subject will fill automatically. For each imported certificate you can specify access and scan actions as listed below:

Access Action

•Auto - Allow trusted certificates and ask about untrusted ones.

•Allow - Allow communication secured by this certificate regardless of its trustworthiness.

•Block - Block communication secured by this certificate regardless of its trustworthiness.

Scan Action

•Auto - Depends on SSL/TLS filtering mode.

•Scan - Scan communication secured by the specified certificate.

•Ignore - Exclude communication secured by the specified certificate from scanning.

Do not scan traffic from domains trusted by ESET

Use the toggle to turn this setting on or off. By default it is turned on, meaning that the traffic from domains that are trusted by ESET is not scanned. When using Safari browser, it is recommended to have the Do not scan traffic from domains trusted by ESET setting turned on, as some websites might have issues loading if it is turned off.

Setup certificate exclusion

In the rare case when the setting Do not scan traffic from domains trusted by ESET is turned on, but you still have issues with fully loading a webpage, you need to setup a certificate exclusion:

1.Open Application Preferences > Secure Transport Protocols > Certificate Rules.

2.Add a new certificate rule by clicking the + sign.

3.Import certificate from the problematic URL.

4.Set Scan action to Ignore and click OK.

Block traffic encrypted with obsolete SSL 2.0

Use the toggle to turn this setting on or off. By default it is turned on, meaning that the traffic encrypted with obsolete SSL 2.0 is blocked.

Action to take if certificate trust cannot be established

You can decide between two options:

•Ask about certificate validity - always get notification and decide if the certificate is valid.

•Block communication that uses the certificate - automatically block the communication that uses the certificate.

˄˅