IBM Trusteer Rapport flags AdGuard certificate.

[Pentlands]

Hi,

I just installed IBM Trusteer Rapport (downloaded from my bank website), immediately after installation the software opened an IE11 browser to inform me the installation was complete and up popped a warning from Rapport that the website is using an invalid certificate.

The page that flags the warning is http://www.trusteer.com/support/installation-complete-windows

Is this something to be concerned about?

I've attached a screenshot of the Rapport warning.

Edit: I'm seeing this on multiple sites, not just trusteer.com

 

[avatar]

As I understand, Trusteer should check certificates for a list of some important websites, not for all. Do you have access to that list? I suppose you can simply add these websites to HTTPS exclusions in Adguard settings.

Also there's nothing to worry about, AG verifies website certificate before starting filtering it. If the cert is invalid, AG simply won't filter it and bypass as is.

 

[Pentlands]

Yes I have access to the Trusteer list, there's 90 of them, they're all banks and credit unions which makes sense as that's where I'm seeing the warnings about the AG certificates.

I wasn't overly concerned about this, I guess I was more surprised that Trusteer flagged the AG certificates because it doesn't look good if it's flagging AG as "bad".

 

[avatar]

Yes I have access to the Trusteer list, there's 90 of them, they're all banks and credit unions which makes sense as that's where I'm seeing the warnings about the AG certificates.

It would be great to have all these domains in our own default HTTPS exclusions list. Could you please share it?

I wasn't overly concerned about this, I guess I was more surprised that Trusteer flagged the AG certificates because it doesn't look good if it's flagging AG as "bad".

I am pretty sure it will flag any local certificate. As I understand, this program has the list of real certificate chains used by these websites. It compares it with the certificate chains your browser gets. And when AG filters SSL connections, the certificate chain is different from the one stored inside Trusteer (until you add that domain to Adguard's HTTPS exclusions list).

 

[Pentlands]

It would be great to have all these domains in our own default HTTPS exclusions list. Could you please share it?

The access I have is the same as everyone else I'm afraid, a long list of banks and credit unions in a window found in the "Trusteer Endpoint Protection Console" (see attached screenshot).

If you or someone else has a test rig they can install Trusteer onto I'm sure they'll be able to track down the https addresses far more accurately than I would



Edit: From the Trusteer FAQ:

Which websites are protected using IBM Security Trusteer Rapport?
http://trusteer.force.com/PKB/articles/FAQ/Which-websites-are-protected?

 

[avatar]

Nice, thank you!

We'll check the list and add all these banks to the default SSL exclusions list:
https://github.com/AdguardTeam/AdguardForWindows/issues/897