Kaspersky
Question

How to disable Kaspersky root authority certificate and all that depends on it


Userlevel 1

No matter how well-intentioned, I never trust vendor-provided Trusted Root CA Certificates.

How do I disable all Kaspersky Security Cloud features that would rely on this certificate, and prevent Kaspersky from re-inserting that certificate into the Trusted Root CA Certificates Store (Windows)?

thank you.


12 replies

Userlevel 7
Badge +3

Hi,

Welcome.

Settings > Additional > Network > Do not scan encrypted connections

Userlevel 7
Badge +7

Try this, disabling:

  • Do not scan encrypted connections
  • Inject script into web traffic…
  • Delete Kaspersky Protection add-on in all browsers
  • Delete Kaspersky Root Certificate installed in Windows, to do this run certml.msc and:

In Action → Search Certificates → type kaspersky → click on button Search Now → once found → mouse right click → Remove / Delete

 

 

 

Userlevel 7
Badge +7

In this Community We can’t help You, You better contact to Kaspersky Support via “My Kaspersky” service.

 

Anyway probably it can’t be disabled, since some of the main security modules/features are depending of filtering the traffic and some of them probably need this Root Certificate.

Userlevel 7
Badge +7

I have a long-open, unresolved support case.

Can you please provide your INC number.

 

Userlevel 7
Badge +7

@arb Welcome. As well as already suggested above by Harlan4096 , please contact K-Lab Tech Support.

Userlevel 1

@kill.Method Your point, that open source software has not necessarily proven to be more secure than closed source/ commercial, is well-taken.

However, this isn't “do I want a Trusted Root CA Certificate from a vendor's piece of software which, if compromised (as we've seen happen repeatedly over the years) will make me, well, dead, versus similar from an open source piece of software".

This is “Do I want a Trusted Root CA Certificate from anyone other than a Trusted Root CA”.

And the answer is clearly “No".

And ant-virus vendors should know better than to NOT give us the option of “No". 

https://www.securityweek.com/avast-antitrack-flaw-allows-mitm-attacks-https-traffic

https://www.pcworld.com/article/3154608/https-scanning-in-kaspersky-antivirus-exposed-users-to-mitm-attacks.html

.. and others.

Userlevel 1

Unfortunately, I've tried all of that, and at each reboot, Kaspersky puts that root certificate back into the Trusted Root CA Certificates (machine) store. That's really unacceptable. AVG went through a public nightmare with this years ago, and if I recall correctly, they made it easier to control.

Why does Kaspersky insist on making this (bad, IMNSHO) security trade-off per-force instead of with informed consent as an option?

And, most importantly, how do I really un-do this?

thank you.

Good evening!

My name is Mark. I have seen a couple of posts in various boards now that carry the same theme: I don’t trust vendor root certificates --   I want to play devil’s advocate here and share some experience. 

Firstly, let’s understand that my trust levels went down this last 12 months--and its open-sourced programs that I scrutinize the most. After dealing with devices that had bullcrap certificates loaded (stolen developer certificates) to give access to surveillance and device hijacking software that made it near impossible to manage one’s own device…. I choose vendor. Vendors are at least operating with clear intentions: To make money. If you think a business exists for you, go back to basics. Business exists to make money. A vendor selling IT security will not last long if it is not delivering the product that it advertises and there are more than enough watchdogs and reviewers to make sure that conversation would be loud and clear. 

Open-sourced software….we’re still dealing with the growing pains. For every great thing software can do for us (open sourced or no) it can be used in an equally malicious fashion. We still have ethical problems that we are facing in an environment where anybody can access the sources...and alter them...or worse, alter the SDK that comes with.

 

My two cents. Thank you Kaspersky. Here are the keys to my banking SSL...please. 

Userlevel 1

I have a long-open, unresolved support case.

There is as yet no answer to this unacceptable situation.

 

Userlevel 1

I already selected the option “Do not scan encrypted connections".

At restart, Kaspersky still re-added that trusted root CA certificate.

How do I prevent Kaspersky from re-adding the certificate, regardless of whether it would plan to USE that certificate?

thanks.

Great to know that it’s no longer disableable. That’s my good bye to kaspersky.

P.S. There’s a huge bug in the website allowing to bypass the login captcha and as a result bruteforce passwords. Won’t tell more about that as a it’s a plain stupid mistake on Kasperskys end and I won’t help a company MIM attacking my SSL traffic, modifying my certificates (I’m a server maintainer having to check server certificates from the browser!)  and bringing my login credentials at risk.

@libove Were you able to delete it completely? I’m also facing the same issue. I’ve tried disabling certificate purposes in properties but that is also automatically enabled after each restart.

Reply / Ответить