Environment

• Endpoint Standard Sensor: 3.3. and later versions
• Carbon Black Cloud Console: All Versions
• Microsoft Windows: All Supported Versions

Symptoms

• Endpoint Standard Sensor not able to connect to CBC
• SChannel errors show in Event Viewer Application Logs
• The Firewall is not configured to allow communication for CRL checking
• A Wireshark/pcap will show a 15-16 second delay between "client hello" and "server hello" indicating a the 15-second CRL timeout has occurred. 

Cause

Resolution

1. For sensor 3.8.0.722 and higher review Carbon Black Cloud: How to Adjust CRL checking for Best Effort 
2. Sensor 3.4.0.925 and higher
   1. Upgrade Sensor to 3.4.0.925 or higher if using an older sensor version
   2. Put the Sensor in Bypass mode
   3. Locate your cfg.ini file using this KB: 
   4. Edit the file cfg.ini with this line at the end of file

      CurlCrlCheck=false

   5. Save and close cfg.ini 
   6. Load changes

      "C:\Program Files\Confer\RepCLI.exe" updateconfig

   7. Bring Sensor out of Bypass
   8. Check PSC Console for normal sensor communications, like check-ins and events

Additional Notes

• This change will prevent the Sensor from preforming CRL checking but continue functioning normally otherwise. 
• Additional information can be found about What are some concerns with disabling the CRL check within the Sensor?

Related Content