Kaspersky also has to install this CA into your operating system's Trusted Certificate store. In order for this to be done correctly, Kaspersky has to generate its own root CA certificate, and generate spoofed certificates on the fly, feeding them to your browser. It does this in order to be able to scan payloads in HTTP transactions, be it in the request or the response. Kaspersky, like most AV products these days, is performing a local MITM against your secure HTTP traffic.
