Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: Agent-Generated CRL (ocrl) Traffic Does Not Appear to Follow Netsh Proxy Settings

App Control: Agent-Generated CRL (ocrl) Traffic Does Not Appear to Follow Netsh Proxy Settings

Environment

  • App Control Agent (formerly CB Protection): All Supported Versions

Symptoms

  • Captured netsh (scenario=InternetClient) and CAPI2 logs show this network connection come into existence
  • App Control Agent calls CertGetCertificateChain to perform CRL checks and build the certificate chain context, triggering a request via WinHTTP to verify the revocation status
  • WinHTTP should honor locally defined proxy settings however the user observes a direct OCSP connection rather than using the designated proxy

Cause

  • On 64-bit Windows machines there are two separate "netsh" commands and setting
  • In this case, the 64-bit netsh was being set to the proxy

Resolution

Once the 32-bit netsh is called as below to point to the proxy server, OCRL calls start respecting the proxy server settings:

c:\winidows\syswow64\netsh winhttp set proxy myproxy:80

c:\winidows\syswow64\netsh winhttp show proxy

Additional Notes

App Control is a 32-bit application

Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎11-12-2020
Views:
581
Contributors