Encrypted web scan remembering sites with bad certs after the cert is fixed?

Using BitDefender Antivirus Free 27.0.30.136 for Windows 11.

I operate websites and for some of them I manually issue SSL using LetsEncrypt.

One time recently I published the SSL artefacts for Site A when configuring the SSL for Site B. When verifying the SSL for Site B, my Bitdefender's Encrypted Web Scan rightly blocked access to Site B as it was presenting Site A's certificate.

Ultimately I wound up re-issuing the SSL certs for Site B and re-configuring the site's SSL to use them.

  • When Encrypted Web Scan is ON, Bitdefender continues to block Site B as suspicious "due to an unmatching security certificate", even though using Google Chrome's certificate viewer confirms that the (wildcard) certificate matches Site B, reporting it as "Connection is secure".
  • When I turn Encrypted Web Scan OFF, the browser allows SSL requests to Site B and continues to report the "Connection is secure" in Chrome's popup when clicking on the padlock.
  • Then turning Encrypted Web Scan ON reverts back to blocking requests to Site B.

Does Encrypted Web Scan 'remember' Site B as suspicious - forever or for some period? Can this be cleared? I expect that I could set it up as an "exception", but there is no longer anything exception-worthy about the origin.

Answers

  • Hello @BSanonymous,

    This might be device related, EWS should detect from start if the certificates are correct. If the situation persists, I would suggest to try on another device to check if Bitdefender blocks the site with good certificates.

    Regards,

    Alex

    Premium Security & Bitdefender Endpoint Security Tools user

  • Thank you @Alexandru_BD . I have no doubt that it is device specific since every device going forward will only see good certs. Is there a way to clear what EWS on the affected device thinks is suspicious?

  • Hello @BSanonymous,

    Sometimes, browsers cache SSL certificates. Clearing the cache can help the browser fetch the latest certificate from the server. Instructions for clearing the cache vary depending on the browser you're using. Generally, you can find this option in the browser settings or preferences menu. If the cache is still there on that device, EWS may still return a detection. After clearing the cache, restart the browser to ensure that the changes take effect.

    Also, ensure that the date and time on your device are correct. An incorrect system date or time can cause SSL certificate validation issues. If the EWS still thinks the certificate is incorrect, you can try adding the website to the exception list. This tells the antivirus to trust the website despite any warnings. Make sure Bitdefender is up to date on the device where the website is flagged.

    That's all I can think of right now..

    Regards,

    Alex

    Premium Security & Bitdefender Endpoint Security Tools user

  • Thanks for your help, @Alexandru_BD

    As per my original post, the browser reports that the certificate (which EWS generates a proxy for - see below) is fine.

    The browser doesn't have a problem with the certificate, only EWS does.

    I also get the issue in my browser's Incognito mode, which should not use anything cached from past browser sessions.

    I know that I can add as an exception, but that would be an exception to work around incorrect product behaviour and leaves my device vulnerable to any other threats through that site.

    If there is no way to clear EWS's view of what sites it blacklists without using exceptions, then that is the answer.

  • Thanks for following up @BSanonymous.

    I'm unsure what else could be causing this behavior. I think we have covered all the usual possible causes and exhausted the known troubleshooting steps. If this issue is caused by something more specific, we won't be able to find the root cause on the forum. To dive further into this, logs from the device may be required, to find out why EWS is still flagging that certificate. The way I see it, there are two options to resolve this:

    1. Set an exception for that page;
    2. Contact the Support teams, explain the issue and provide them with a Support tool log that would help them diagnose the problem.

    Here's how to create a Support tool log when the detection takes place:

    Then head to the link below to get in touch with the Bitdefender engineers. If required, they can also schedule a remote session for advanced troubleshooting:

    https://www.bitdefender.com/consumer/support/help/

    Scroll down to state your contact reason, then choose from the available contact channels, chat, phone and email/ticket. Chat would be the fastest way to reach them.

    Let us know how it goes, I would appreciate if you could follow up to tell us what was causing the detection.

    Regards,

    Alex

    Premium Security & Bitdefender Endpoint Security Tools user