SSL3.0 won’t stay off

Topic

New Reply

I’m running IE11 on Windows 7 Home Premium. To avoid POODLE problems, I unchecked “Use SSL3.0.” When my machine wakes up from hibernation, “Use SSL3.0” is re-checked. Nothing seem to stop this behavior. It survives opening and closing the browser, hitting “Clear SSL state” and rebooting. Any thoughts on what’s happening?

Reply | Quote

Replies

Is your user account a member of the administrator group?

Have you tried running IE with add-ins disabled?

Are you running any third party security software which could be interfering?

Joe

--Joe

Reply | Quote

Yes
Yes
Just McAfee AntiVirus

Reply | Quote

Have you tried disabling McAfee, making the change, & then re-booting?

Joe

--Joe

Reply | Quote

Gave it one more try. Closed IE11, shut down McAfee, opened IE11 with no add-ons, unchecked “Use SSL3.0” and rebooted. When boot was finished “Use SSL3.0” was re-checked.

Reply | Quote

Did you hit Apply – OK and restart IE ?

If you aren’t actually switching the computer off, then give it a reboot as well.

Reply | Quote

I will try that, but it’s not likely to work. The same behavior occurs on my wife’s computer which administratively runs Microsoft Security Essentials, IE11 and Windows 7 Home Premium. Hers never sees hibernation–she just uses it constantly for a short period and then completely shuts it off. The next time she turns it on, “Use SSL 3.0” is re-checked.

Reply | Quote

Have you tried resetting IE to full defaults, rebooting then trying again ?

Reply | Quote

On wife’s computer, IE11 has never been changed from full defaults, and problem still occurs there. “Use SSL3.0” IS one of the IE11 defaults, but if you de-select it, why does it keep coming back upon reboot? Sounds like IE11 itself might not be retaining its configuration information for some reason.

Reply | Quote

I only use IE 10 but perhaps other IE 11 users could chip in if they’ve had the same problems, but as it affects both yours and your wife’s computers perhaps you each have a program installed – although I can’t really see how that would affect a browser.

Nonetheless, see if it stays unchecked with a clean boot.

If it was just one computer then I would advise uninstalling IE 11 from Installed Updates – check to see if it stayed unchecked in the reverted version then if it did, reinstall IE 11 either through WUs or a direct download http://www.microsoft.com/en-gb/download/Internet-Explorer-11-details.aspx

If you do want to try the reinstall then reset IE 11 to defaults first before uninstalling.

Reply | Quote

Reset Internet Explorer settings (Internet Options, Advanced, bottom right).

Brucew

Reply | Quote

This may be asking the obvious. After unticking SSL3.0, did you click on apply?

Reply | Quote

jkellyjrvt,

I’m helping a member over at Sevenforums that has McAfee, and has the same problem as you, his SSL3.0 option keeps being enabled, in his case IE10:

The problem is related to Mcafee virusscan plus.
SSL 3 option stays unchecked until i open the mcafee management console.

Source: Post #7 | IE10, SSLv3 setting keeps enabling. | SevenForums.com

He found a thread on the McAfee Forums that lead him to check, and verify if the behaviour still exists after McAfee knowing about the bug for 5years, yes it still exists, and yes, the thread is from 2009.

Read Andy_L’s response (fifth post down): Security Center changes IE security settings | McAfee.com

I did ask my original poster HarryNack, if he checked to make sure if McAfee was up to date because there was a new update that came out yesterday on the 31st, and just maybe McAfee fixed this bug. As of this posting I haven’t heard back.

Check for any updates to McAfee, there was one released today: McAfee SuperDAT Update 7607 October 31, 2014 Download – TechSpot Update through program or this link if you’re not current, and test.

Source: Post #6 | IE10, SSLv3 setting keeps enabling.

As for your wife’s machine exhibiting the same behaviour we’d need more information about her machine, such as;

[*]Do both machines share a network at home?
[*]If so, are they hard wired, or wi-fi, who is your internet service provider (ISP), what type of router?
[*]Is her machine fully updated (Windows)?
[*]Any third-party security programs?
[*]If she works, does she use her machine to connect to her place of employment’s servers?
[*]There is a Microsoft FixIt here: Microsoft security advisory: Vulnerability in SSL 3.0 could allow information disclosure: October 15, 2014 that might help.

Sudo15, touched on a program causing this, let me expand this to any type of add-on or extension, have you tried running her IE with add-ons/extensions disabled, then test?

Go to: Start >type/copy/paste Internet Explorer into the Search box >Select Internet Explorer (No Add-Ons) to open.

If the behaviour goes away you will have to add them back one at a time to see which one is problematic.

Reply | Quote

Sometimes it’s so easy….Regarding the above post, opening the McAfee Security Center does not change does not change the SSL 3.0 setting…but opening the McAfee Security Center and clicking on About immediately rechecks “Use SSL 3.0”. Culprit found!!! You were absolutely right.

Reply | Quote

Hi Anak,

Thanks for your response. I had pretty much given up hope. I went to Microsoft Community and posted the problem — got an uninstall/reinstall windows and why-do-you-want-to-do-this-anyway type response.

Per your questions, both computers run 64-bit Windows 7 and IE11. My Dell desktop is Ethernet-connected; my wife’s Toshiba Satellite laptop is Wi-Fi connected through a Netgear WNR-2500 wireless router. That’s the extent of the “home network” — no sharing between computers. My wife does not log into any work network. HughesNet satellite service is the ISP, brought in through an HN7000S modem — a generous 1.5Mbs service for a mere $70/month. (I will switch to a VermontTel 4G/LTE internet service — a 25-50Mbs service for only $25/mo. — when it becomes available, scheduled for the end of the year.)

Both machines are fully updated through Microsoft and I run Secunia PSI 3.0 on both. My machine uses McAfee Security Center (anti-virus, firewall, etc.); my wife runs Microsoft Security Essentials and Windows Firewall. Both machines were tested with all IE add-ons and extensions disabled, with no apparent effect.

The Microsoft FixIt had no effect on my machine, but seems to have solved the problem on hers, whereas just changing the SSL 3.0 setting in Advanced Internet Options on hers did not seem to work.

Opening the McAfee Security Center did not immediately change the SSL 3.0 setting on mine. But about 15 minutes after I closed it out, SSL 3.0 was again rechecked. This time no hibernation or reboot was involved.

Essentially, every program on my wife’s computer is also on mine, but I have additional programs, some of which are older and could be at fault here.

Unfortunately, since the problem has appeared primarily after hibernation or reboot, tracking down the offender would be a rather ponderous problem, and just doing a general disable of SSL 3.0 within windows (not just IE11) might disable whatever program was at fault. I’m hoping that, whenever Microsoft completely disables SSL 3.0 in IE11, it will take hold there and not reset spontaneously. That would at least provide surfing protection. Hopefully, whatever program might be causing the problem might eventually be updated as well, but with some of the older ones, that’s not likely.

Just on the chance that McAfee is the cause, I’m seriously tempted to strip McAfee off my machine and use Microsoft Security Essentials and Windows Firewall. The McAfee Security Bulletins you cited are truly frightening. With 100+ McAfee products involved, it could be a long catch-up process — particularly if you use their history in tracking down this “bug” since 2009 as a guide.

Anyhow, thanks again for your help. I’ll let you know if I find out anything else.

Joe

Reply | Quote

The only reason I can think of why the fixit didn’t work on your machine is McAfee (MAC) blocked it. The technical page of the fixit, which is different than the fixit page, suggests in the workaround section that the fixit creates a registry Key to block SSL3 connections, and MAC is desperately trying to protect those connections because it needs them to operate.

You haven’t mentioned if you checked to see if you need the recent MAC update I mentioned in my last post:

I did ask my original poster HarryNack, if he checked to make sure if McAfee was up to date because there was a new update that came out yesterday on the 31st, and just maybe McAfee fixed this bug. As of this posting I haven’t heard back.

Check for any updates to McAfee, there was one released today: McAfee SuperDAT Update 7607 October 31, 2014 Download – TechSpot Update through program or this link if you’re not current, and test.

Source: Post #6 | IE10, SSLv3 setting keeps enabling.

If you have the most recent update and MAC still blocks any attempts to keep SSL3 switched off you may want to try manually adding that workaround key to your registry.

I’d be curious to know, and you should check the registry on your wife’s machine first since hers accepted the fixit.

Go to:

Code:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols

Open a registry Editor A quick way to get to Protocols is to type Schannel into the Find / Find next Box; Click on SCHANNEL to open, Click on Protocols to open.

You should at least see this:
38344-SchannelOld

If the fixit works as suggested you should see this:
38343-SchannelOld1

Then go to the same location in your registry, what do you see? I’d bet you don’t see the SSL3.0 Key.
I’d be willing to show you how to add that SSL3 Key, It’d be interesting to see how MAC would react to a manual input of the blocked protocol, my belief is it would stop working.
I’d tell you how if you want to try it yourself, but its a little tricky, the instructions only show how to change the value if the Key is already there, not the fact that you need to add two Keys, not just one.

The reason I’m working with you while you’re running MAC is it sounds like you have an investment in it and I don’t know how long you have until you $re-up the subscription to MAC$. There is a refund policy with two terms, 30 and 60 days: McAfee Security for Consumers Refund Policy Right of Cancellation If it’s worth it to you to cancel out I’d be willing to show you how to remove MAC, install Microsoft Security Essentials (MSE) and start Windows Firewall (WF). The worst part would be uninstalling MAC. I would follow both steps under Solutions, Remove thru Programs and Features, and run the MAC removal tool in case there are any leftovers. If you have Revouninstaller or CCleaner it wouldn’t hurt to check for any leftovers with them to make sure.

I’ve been using MSE since it came out and WF, and Ive been okay, knock on wood 38345-15_10_2, as long as you don’t go looking into every nook and cranny on the web, and think before you click you should be too.

Steve

p.s. This may sound corny, but Thanks for the thanks.

Reply | Quote

Hi Steve,

Please read my posts above for 11/2, particularly #14; they explain everything — McAfee was the culprit. I was just coming up for renewal, so it was easy to get rid of it now. That being said, the latest McAfee update didn’t work. Changing the registry key would have worked, but it would have killed SSL 3.0 for all programs on the computer, and McAfee would most likely have bitten the dust. But even now, post-McAfee, with SSL 3.0 apparently permanently off if I uncheck in Internet Options/Advanced, I still don’t see the SSL 3.0 registry key you mention — even after rerunning the FixIt and rebooting. But it doesn’t matter — things are working right.

I did get rid of McAfee, but since my wife’s computer was already running Microsoft Security Essentials, I wanted something different (If one computer bricks from a bad definition update, you still have the other to recover.). I installed the free version of AVG Antivirus 2015, but immediately had to uninstall its e-mail scan feature, as it was seriously impeding Thunderbird. After that, all systems were go.

I’m very impressed by the amount of detail you put into your posts for this problem, and very, very appreciative. Thank you very much again.

Joe

Reply | Quote

Hi Steve,

Please read my posts above for 11/2, particularly #14; they explain everything — McAfee was the culprit. I was just coming up for renewal, so it was easy to get rid of it now. That being said, the latest McAfee update didn’t work. Changing the registry key would have worked, but it would have killed SSL 3.0 for all programs on the computer, and McAfee would most likely have bitten the dust. But even now, post-McAfee, with SSL 3.0 apparently permanently off if I uncheck in Internet Options/Advanced, I still don’t see the SSL 3.0 registry key you mention — even after rerunning the FixIt and rebooting. But it doesn’t matter — things are working right.

Hi Joe,

Might be the fixit changes something deeper in the OS.

Don’t know if you’ve seen these two test sites: https://www.poodletest.com/ and https://www.ssllabs.com/ssltest/viewMyClient.html, they’ll test your browser(s) to see if they’re vulnerable to the SSL3 exploit. All you have to do is click on either link the site does the rest.

I did get rid of McAfee, but since my wife’s computer was already running Microsoft Security Essentials, I wanted something different (If one computer bricks from a bad definition update, you still have the other to recover.). I installed the free version of AVG Antivirus 2015, but immediately had to uninstall its e-mail scan feature, as it was seriously impeding Thunderbird. After that, all systems were go.

Good contingency plan, give Avast, or Avira a try in case AVG acts up some more. Just watch their surfing protection features they’ll give you problems like AVG did. I helped another member over at SevenForums figure out the HTTPS:// scanner Avast has was crashing his Firefox, but he was also running Iobit Advanced SystemCare.

I’m very impressed by the amount of detail you put into your posts for this problem, and very, very appreciative. Thank you very much again.

Joe

You’re welcome, I don’t know, I just start thinking about a problem and the thoughts start flowing.

Reply | Quote

Might be the fixit changes something deeper in the OS.

Hi Steve,

You may be giving Microsoft more credit than they deserve. For all the whirring of the hard drive when you run the FixIt, the ease with which McAfee undid it suggests that all the FixIt may have done is automate the steps of going to Internet Options/Advanced and doing it manually. I suggest this because their announcement of it stated that they would eventually issue a patch “permanently” disabling SSL 3.0 in IE.

Don’t know if you’ve seen these two test sites: https://www.poodletest.com/ and https://www.ssllabs.com/ssltest/viewMyClient.html, they’ll test your browser(s) to see if they’re vulnerable to the SSL3 exploit. All you have to do is click on either link the site does the rest.

I have used the poodletest site; I wasn’t aware of the other one.

Good contingency plan, give Avast, or Avira a try in case AVG acts up some more. Just watch their surfing protection features they’ll give you problems like AVG did. I helped another member over at SevenForums figure out the HTTPS:// scanner Avast has was crashing his Firefox, but he was also running Iobit Advanced SystemCare.

My decision boiled down to a choice between AVG and Avast. If I have any more problems, Avast will be the next one I try.

You’re welcome, I don’t know, I just start thinking about a problem and the thoughts start flowing.

Don’t you just love it when the flow starts? I really eat up problem solving. Once I get hooked on a difficult one, I can’t let go.

Joe

Reply | Quote

…I installed the free version of AVG Antivirus 2015, but immediately had to uninstall its e-mail scan feature, as it was seriously impeding Thunderbird…

According to the email experts, email scanning does nothing useful in any case (baddies hide in MIME attachments which AV programs can’t access).

You can use the “Thread Tools” dropdown at the top of the thread to mark it solved.

Reply | Quote

Hi Joe,

The HDD crunching discussion will have to be for another time.

I like the ssllabs site, it gives a lot more info. I did see a few more, but they weren’t as good.

Arrrggh! avast matey! (couldn’t help it.)

Yep! I still have some pc problems from a few years ago that seem to defy logic, workarounds helped get runnin’ again but not a solid answer.

So, are you running okay, SSL3 stayin’ off? Time to mark this one solved, eh?

Steve

Reply | Quote

Yes, mark it solved. I’m glad to get it out of the way. Thanks again for your help.

Reply | Quote

My pleasure!

Reply | Quote

Sorry ahead but I got lost here. What was the solution again? I kept on looking for it but could find it.

Reply | Quote

McAfee Antivirus was the cause. It kept turning SSL3 back on as a result of its default behavior. I uninstalled McAfee to solve the problem.

Reply | Quote

That was a rather incomplete answer. I uninstalled the McAfee security suite and substituted AVG Antivirus Free Edition 2015 to maintain my antivirus protection. I activated the built-in Windows firewall to replace the firewall that McAfee provided.

Reply | Quote