cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Why does SaaS SSL scan bypass not work for some domains?

Jump to solution

Can somebody explain why the Trusted Sites: SSL Scan Bypass does not work for some domains? McAfee seems to believe this is expected behavior and has said I need to put those sites in the Threats bypass list or the proxy bypass. Well, it doesn't work when I put it in the Threats bypass and the proxy bypass is not an acceptable solution because some of the sites we need bypassed are not globally available to all of our users (controlled by policies and groups).

An example of a domain that does not honor the SSL Scan Bypass is pnc.com. This domain shouldn't even have to be in the bypass list because it's in the Banking/Finance category which I have excluded from the SSL scan. But that doesn't work either. I do not want SSL scanning or the McAfee Web Services SSL certificate to be used when connecting to banking sites.

1 Solution

Accepted Solutions

Re: Why does SaaS SSL scan bypass not work for some domains?

Jump to solution

There may be a few separate reasons for this, but the root cause is generically the same: in some instances, the browser or an intermediate process like the McAfee Client Proxy (MCP) does not send the host information, but instead sends the resolved IP.  As the IP does not match the hostname in the trusted site list, the bypass does not occur.  We see this behavior regularly with the MCP - the 1.2 and future versions include support for Server Name Indication (SNI) which improves the ability for the systems to recognize the destination host and properly bypass.  In any case, the workaround is to add not just the hostname that you want to skip scanning for, but also the IP.

1 Reply

Re: Why does SaaS SSL scan bypass not work for some domains?

Jump to solution

There may be a few separate reasons for this, but the root cause is generically the same: in some instances, the browser or an intermediate process like the McAfee Client Proxy (MCP) does not send the host information, but instead sends the resolved IP.  As the IP does not match the hostname in the trusted site list, the bypass does not occur.  We see this behavior regularly with the MCP - the 1.2 and future versions include support for Server Name Indication (SNI) which improves the ability for the systems to recognize the destination host and properly bypass.  In any case, the workaround is to add not just the hostname that you want to skip scanning for, but also the IP.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community