All AV Vendor SSL Protocol Scanning Can Be Easily Bypassed

Discussion in 'other anti-virus software' started by itman, Jun 3, 2016.

  1. itman

    itman Registered Member

    Jun 22, 2010
    I decided to open a new thread on this topic. On Wliders, there has been an ongoing discussion of whether AV vendor scanning of SSL protocol should be done. And if done, is the vendor performing it properly. What hasn't been discussed is just how easy is it for malware to bypass the SSL protocol scanning?

    My contention is it is quite easy for malware to bypass retail AV SSL protocol scanning. That is because there is a basic flaw in the way the scanning is being performed. The flaw is the assumption that all SSL communication is initiated using port 443. For the record, SSL encrypted connection can be performed using any outbound port with the following coding: where; 12345 is any port number
    All the malware has to do is redirect using a like above coded URL to a server which has the specific port configured.

    Assumed is that the user is employing either the Win or vendor product firewall in default configuration which is to allow all outbound traffic.

    You can test for this bypass by using this link to VeriSign which performs a validation check for a revoked EV certificate: . If you do monitor outbound firewall connections, you will have to allow the connection.

    What you will observe upon connection to the VeriSign web site is an alert from your browser's invalid certificate protection and not one from the AV vendor's SSL protocol scanning invalid certificate protection. This proves that the vendor's SSL protocol scanning monitoring has been bypassed in total.

    Note: Some vendors exclude web sites with EV certificates from SSL protocol scanning. As such, the above VeriSign web site validation can not be used as proof of bypass since the AV vendor scanning would be disabled for that web site due to its use of an EV certificate.

    What vendors who offer a web filtering solution need to do are:

    1. Either monitor all outbound port connections for both encrypted and non-encrypted traffic.
    2. Provide by default firewall outbound browser rules that "sync" with the ports that their web filtering solutions are monitoring.

    In reality, all outbound ports should be filtered by default with any https connections being decrypted prior to being scanned. Since some https web sites might not function properly with SSL protocol scanning enabled, existing vendor URL whitelisting methods could be employed.