Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: Server connection to Collective Defense Cloud service is unavailable for longer than 3 hours

App Control: Server connection to Collective Defense Cloud service is unavailable for longer than 3 hours

Environment

  • App Control Server: All Supported Versions
  • Carbon Black Collective Defense Cloud Enabled

Symptoms

  • Event(s) and/or Alert(s) in the Console for:
    • connection is lost for longer than specified period (3hrs)
    • fast sync with CDC wasn't successful for longer than specified period (3hrs) - lookup of newly added files at CDC
    • slow sync with CDC wasn't successful for longer than specified period (3hrs) - update of metadata pushed from CDC to your server

Cause

These Alerts could be triggered by either:
  • A network connection error that is preventing the App Control Server from accessing the CDC Backend.
  • There have not been any new interesting files in the environment during the timespan, which prevents the App Control server from needing to reach out to the CDC, triggering the error.

Resolution

  1. Verify the CDC Connectivity between the application server and the CDC Backend.
    • If the connectivity is working, the Event/Alert can likely be ignored.
    • Typically an Event or two for this can safely be ignored, as there are many variables that could contribute to a network connection error between the application server and the CDC Backend.
  2. If it is common that the environment is without network access, or new file creation, for long periods of time the Criteria for the Alert can be adjusted:
    1. Log in to the Console and navigate to Tools > Alerts.
    2. Click Edit (pencil icon) on the Alert, CB Collective Defense Cloud Unavailable.
    3. Set the Criteria > Time Period to be slightly longer than the expected period.

If connectivity issues persist: Collect the Server High Debug Logs and a Wireshark capture while recreating the connectivity tests.

Additional Notes

  • It is recommended to verify your CDC connection whenever you receive this alert, as it is possible the alert was triggered due to a disconnection. The following article can assist with testing the connection: App Control: How To Check CDC/SRS Status and Connectivity
  • For App Control server versions 7 or older, the CDC was originally named the Software Reputation Service (SRS).

Related Content


Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎02-28-2022
Views:
1487
Contributors