Kaspersky AV Having Certificate Conflicts with Google Chrom…
Users of Kaspersky Antivirus have been complaining since the end of January that when they open Chrome Kaspersky displays numerous alerts stating that there is a problem with a self-signed certificate. It turns out this is being caused by a conflict with a Chromecast device on their network that they may not know even existed.
These alerts state that Kaspersky “Cannot guarantee authenticity of the domain to which encrypted connection is established” and are due to a “Self-signed certificate” as shown below.
These errors are being displayed by Kaspersky’s engine that allows it to scan encrypted SSL traffic for malicious content.
In a new Chromium bug report opened today, a Google employee states that there has been an increase in Chromecast discovery issues from Windows users and that it appears to be related to antivirus software.
“There’s been a sudden increase in device discovery reports,” states the bug report. “Reviewing the reports indicated that it’s common on the Windows platform. And reviewing of the logs show a commonality of cast channel authentication errors, which can often be attributed to Anti Virus / security software.”
When investigating further, he noted that Kaspersky users have been complaining about these problems since the end of January, which appears to be the same period that the Chromecast discovery reports started to increase. Google has stated that they have reached out to Kaspersky to resolve the issue.
To test this, BleepingComputer fired up a virtual machine and installed a free trial of Kaspersky Total Security. After being installed, I opened Chrome and was immediately greeted with the same error that the Kaspersky users have been seeing.
Not only was I greeted with this error once, but I was shown it multiple times as can be seen by the Kaspersky report below.
When reviewing the 12 page topic in the Kaspersky forums, multiple users reported this started happening after upgrading to Chrome 72 and appears to be a conflict between Chromecast and the antivirus software’s SSL scanning engine.
To resolve this, users have discovered they can either disable SSL scanning or find the IP address for the Chromecast device and add it as an exclusion to the SSL scanning.
In order to properly protect your computer, it is not suggested that SSL scanning be disabled. Instead users should follow the below steps to exclude the offending IP addresses from SSL scanning:
Open the main Kaspersky interface and select More Tools -> My Network -> Network Monitor
When the Network Monitor is opened, click on the Port column header to sort by the port.
Look through each row and write down any IP address that is using port 8009. You can see multiple devices on my network below that are using this port.
After writing down each IP address, close the Network Monitor and click on the gear to open Kaspersky’s Settings. Then click on Additional -> Threats and Exclusions -> Specify trusted applications -> Add -> Click on the search icon in the upper right corner -> type Chrome – Now double-click on Google Chrome in the search results.
Click on “Do not scan all traffic” option and select “Do not scan encrypted traffic” as shown below.
Now put a checkmark in “Only for specified IP addresses” and then enter the IP addresses you wrote down in step 3. If you have multiple IP addresses, make sure to enter each one separated by a space.
Now put a checkmark in “Only for specified ports” and enter 8009.
When done, your screen should look like below.
When ready, click Save.
You should no longer receive the self-signed certificate errors from Kaspersky when you open Chrome. With Google reaching out to Kaspersky to resolve this issue, you will hopefully be able to revert these changes soon.
But I don’t have Chromecast!
Now you may be saying, “But I do not have Chromecast on my network!”. I said the same thing until I followed the above steps and found out that I actually had multiple devices that support Chromecast.
New SmartTVs now have ChromeCast built into them so that you can cast to them from your browser or other compatible devices. I had not known that my Vizio TV supported Chromecast, which I now know I can see by clicking on the Chrome menu and selecting Cast.
What is causing these errors is a hidden Chrome extension called Chrome Media Router that automatically scans a network for Chromecast devices when the browser starts.
This causes Kaspersky’s SSL scanning engine to kick in and give the errors about the self-signed SSL certs. If you have multiple Chromecast devices on your network, you will see even more of these alerts as each Chromecast device is discovered.
Hopefully now that Google and Kaspersky are working on this, the issue will soon be a thing of the past.