Environment
- App Control Server: All Supported Versions
- App Control Agent: All Supported Versions
- Microsoft Windows; All Supported Versions
Question
Why are the Agents and the Server seem to be reaching out to unknown IP Addresses?
Answer
This will occur when the Server or Agent uses the Microsoft CrytoAPI to perform local certificate and publisher validation requests. This is expected behavior.
Additional Notes
- The App Control server will also reach out in order to verify certificate information once per week to various CRLs
- If needed Capi logging can be enabled per this article to identify CryptoAPI traffic
- More information is available in the User Guide:
Note: Regardless of whether agent-based certificate revocation checks are enabled, the Carbon Black
App Control Server validates certificates in its inventory on a recurring basis to make
sure that they have not been revoked. This validation generally occurs on a weekly basis and
involves downloading certificate revocation lists (CRLs) from registration authorities or making
Online Certificate Status Protocol (OCSP) calls to OCSP responders. These downloads can involve
a variety of sites in a variety of countries.
Server-based validation checks inform administrators when the status of a certificate changes,
but they do not affect enforcement of rules. Enable agent-based revocation checks if you want
revocations to affect rule behavior.
Related Content
