Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: Agent or Rules Package Installer Fails Due To Air-gapped or Limited Network

App Control: Agent or Rules Package Installer Fails Due To Air-gapped or Limited Network

Environment

  • App Control Server: 8.5.16, 8.6.8, 8.7.6, 8.8.4 and higher

Symptoms

  • When uploading new Agent or Rules Package Installer in the console on the "Update Agent/Rule Versions" the upload fails with error:
    Installation failed.
  • Sometimes the following prompt is displayed, but the install still fails:
    We have validated that the signature on this file's certificate is from Carbon Black and that the file integrity is intact.
    However, due to environmental circumstances we are unable to check externally and determine whether this certificate has been revoked.
    Do you want to bypass this check and allow this file to execute?

Cause

  • There is a new Agent/Rules Package Installer certificate validation logic that is more thorough and secure
  • The new logic requires that the file uploaded be signed with a valid certificate from Carbon Black that passes certificate validation check and a file integrity check
  • When the App Control Console is installed on a server with limited or no internet access the certificate validation fails
  • Sometimes, a prompt is displayed that allows the bypass of the certificate revocation check (requires Internet access). However, this is only for CRL check bypass and not a bypass of the full certificate validation that requires all certificates from the chain be present and valid in the local machine cert store

Resolution

When the Agent or Rules Package Installer uploaded to the console fails due to limited connectivity then please:
  • Copy the Agent or Rules Package Installer locally onto the system where App Control is installed and run the actual EXE file using the App Control service account or with another Admin account that has permissions for the Das database
  • If the issue persist, please enable high debug server logs and recreate the install failure then submit a support case, so we can determine what caused the issue

Additional Notes

The hostPackageInstallerSignatureCheck shepherd config has been removed and there is no longer a way to disable the certificate validation check

Related Content


Labels (1)
Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎06-23-2022
Views:
302
Contributors