Does the EDR scan HTTPS traffic if it is decrypted?

book

Article ID: 224160

calendar_today

Updated On:

Products

Advanced Threat Protection Platform Endpoint Detection and Response

Issue/Introduction

Customers may have a configuration where they decrypt inbound HTTPS traffic using outbound HTTPS traffic. 

The questions are:

Does the EDR scan decrypted HTTPS traffic?

How do you scan the decrypted traffic?

 

Cause

Because the HTTPS protocol is assumed to be encrypted, the EDR does not scan this traffic.

Environment

All available versions of EDR.

Resolution

The EDR does scan the HTTP traffic.  Therefore, the traffic must be converted to HTTP traffic for the EDR to detect any attacks.

Additional Information

We recommend you review the capabilities of the SSL Visibility Appliance (SSLv) as an integration solution with the EDR.