This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ben_Dunkley
Contributor
‎2022-07-12 09:48 AM

HTTPS Certificate Validation - ds.kaspersky.com / Harmony Endpoint

Hi,

After dealing with some certificate validation issues recently (resolved via sk64521 / sk173629 - slightly frustrating this isn't automatic by default), almost all of the certificate validation errors are gone.

The last remaining validation error is for the FQDN ds.kaspersky.com, which logs as follows (identifying & irrelevant info snipped out):


HTTPS Validation: Untrusted Certificate
Description: Certificate DN: 'CN=ds.kaspersky.com,OU=CIWD,O=AO Kaspersky Lab,L=Moscow,ST=Moscow,C=RU' Requested Server Name: ds.kaspersky.com. See sk159872
Destination: 82.202.185.148
Destination Port: 443
IP Protocol: 6
Action: Detect
Type: Log
Blade: HTTPS Inspection
Service: TCP/443
Product Family: Network
Resource: ds.kaspersky.com

 

This occurs across half a dozen or so destination IP addresses, but the same FQDN in each case.

Testing using openssl reveals the following certificate chain, and there are no Kaspersky certificates in Checkpoint's Trusted CA list, which is fine I guess, as it does look like Kaspersky are potentially just using their own CA, which may not be publicly trusted (i.e. if it is explicitly trusted in their products that leverage these services).

Certificate chain
 0 s:/C=RU/ST=Moscow/L=Moscow/O=AO Kaspersky Lab/OU=CIWD/CN=ds.kaspersky.com
   i:/C=RU/O=Kaspersky Lab/CN=Kaspersky Lab Public Services TLS CA
 1 s:/C=RU/O=Kaspersky Lab/CN=Kaspersky Lab Public Services TLS CA
   i:/DC=com/DC=kaspersky/DC=authenticity/CN=Kaspersky Lab Public Services Root Certification Authority
 
The part that is a little frustrating, is that all this traffic is originating from Check Point Harmony Endpoint clients!
 
So I'm curious what view others may have on this, ignore it? manually trust the CA? something else?
 
Thanks,
Ben
0 Kudos
3 Replies
Ben_Dunkley
Contributor
‎2022-07-12 09:52 AM

(Also trusting the CA raises the whole subject of the Kaspersky situation (sk178688, sk118539, etc), but that's a whole different topic 😉 )

0 Kudos
_Val_
Admin
Admin
‎2022-07-12 11:49 PM

As you have mentioned yourself, Kaspersky is a tricky subject. However, you can manually configure to trust that cert, if you are absolutely sure this is what you want/need.

0 Kudos
TP_Master
Employee
Employee
‎2022-07-13 02:22 AM

Hi Ben,

Yes this is a certificate originating from our usage of the Kaspersky SDK in this version of Harmony Endpoint. It has been signed like that (with Kaspersky CA) for the past few years, it is not new.

I guess the answer to your question goes back to you - what is your goal? you want to suppress those "Untrusted Certificate" logs on the GW? then you can trust it .. do you just want to know if it's "suspicious"? then no it's not suspicious.

HTH

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events