I am running Security Center 9.3.151 on Windows Vista Ultimate SP1. I use Internet Explorer 8 and I configure IE 8 (IE 8 > Tools > Internet Options > Advanced) to "Use SSL 3.0" and "Use TLS 1.0". I do not want to use SSL 2.0 ever.
However, these settings are being changed by Security Center to disable TLS 1.0 and to enable both SSL 2.0 and SSL 3.0. The settings change whenever I right-click the McAfee SecurityCenter icon in the Windows Taskbar and select "Open SecurityCenter".
I know it is SecurityCenter (mcshell.exe) changing the settings because I setup auditing within the registry to figure out which application is changing the settings. SecurityCenter changes the SecureProtocols value from 160 (TLS 1.0 and SSL 3.0) to 40 (SSL 2.0 and SSL 3.0). See auditing info below (potentially sensitive information was replaced with asterisks).
The problem also occurs on Windows XP SP3.
Please fix SecurityCenter so that it does not change the SecureProtocols value within the Internet Settings.
================ REGISTRY AUDITING INFO =================
In mine (default settings) SSL3.0 is ticked as well as SSL2.0 but not TLS1.0, and I believe that 3.0 overrides 2.0 anyway. I am aware that as of IE7 SSL2.0 has been regarded as a security risk. TLS1.0 isn't used any more as far as I know & isn't selected by default, in my setup anyway.
(I'm wondering if the default settings may vary depending on what operating system you are using).
Security Center is in fact an IE page albeit internal and relies upon IE being set at its default settings, so if you change them it may malfunction, or, as in your case, may alter them back.
This is a rather technical question which can't be directly answered on this board. I'll have to flag it internally and hope that someone at McAfee HQ can answer it.
Sorry but we are just unpaid volunteers here, not McAfee staff, but if I flag it, hopefully someone from McAfee will come up with an answer for you.
Thank you for replying. I do appreciate you flagging my question for McAfee staff to look at it.
You wrote, "TLS1.0 isn't used any more as far as I know ...". All of the financial and e-commerce web sites that I visit do use TLS 1.0 over SSL 3.0, if both are enabled in the web browser. TLS 1.0 is an improvement over SSL 3.0 (see http://csrc.nist.gov/publications/nistpubs/800-52/SP800-52.pdf for details). And as you noted, SSL 2.0 is a security risk. So it seems wrong to me for SecurityCenter to enable the least secure protocol (SSL 2.0) and disable TLS 1.0. Hopefully, McAfee will investigate the issue and respond.
Security Center changes IE security settings - SSL2
I was having exactly the same problem that pigglety described on 5-16-09 at 07:49am. I actually called McAfee tech support in Aug 2009 and told them about the problem. I even provided them with the excellent technical info that pigglety provided.
At first McAfee technicians totally denied McAfee Security Suit would make any changes to the Windows Vista registry file. After speaking to three different McAfee technicians, I finally found someone in McAfee who admitted that there was indeed a bug in McAfee Security Suit, and everything would be fixed in the next updated version. I took the technician at McAfee at his word, and I have been patiently waiting for the next version of McAfee to be released.
On Sept 21, 2009 McAfee Security Center (build 9.15.126) was released, and I installed it on my PC. I was really hoping that it would finally fix the issue where McAfee Security Security Center would automatically enable SSL2 on IE8 as well as Google Chrome. Well guess what? The newest build does NOT fix the problem. Everything that pigglety described on 5-16-09 is still true today, even with the newest McAfee Security Center installed.
I am so disappointed with McAfee. It was a royal pain explaining over and over again the SSL2 software bug to the McAfee technicians. I have absolutely no desire to spend another hour on the phone going thru that drill again!
If anyone has a solution, please let me know. Thanks!
RE: Security Center changes IE security settings - SSL2
By the way, I would imagine that Microsoft dictates to all security software manufacturers whose products are designed to interact with Windows Security, that such settings must be protected, so McAfee in this case is only protecting the default settings, which is a function of security software after all. Im sure a Microsoft Newsgroup or Forum would bear me out on that.
Addendum: I doubt such processes could be discussed in open forum as they involve patented/copyrighted processes from both Microsoft and McAfee. I do know that all security software makers have to follow a set of guidelines laid down by Microsoft. So I doubt you can blame McAfee totally for this.
I guess for now the answer is, don't open Security Center while using those settings.
The 2010 products will be releasing soon so who knows, things may change.