Default Definition Update Server for the Local Scanner (if enabled)
Online Certificate Status Protocol (OCSP)
Certificate Revocation List (CRL)
The Device Services allows the sensor to upload the latest events from the endpoint, look up a reputation of a new file or receive a configuration change from the CB ThreatHunter Backend.
If the sensor cannot establish connectivity to the Device Services URL over the standard SSL port TCP/443, it will failover to the alternate port: TCP/54443
The current implementation of the CB ThreatHunter cloud service uses dynamically managed load balancer(s) in order to provide the best possible levels of scalability, reliability, and performance, so the CB ThreatHunter Device Services Hostname could resolve to many possible IP addresses(s) which will likewise change dynamically. See CB Defense: What’s the static IP address or hostname used by CB Defense? for details.
The CB ThreatHunter Sensor relies on the Operating System for dynamic proxy detection. If proxy authentication is required, the user may be prompted for credentials if proxy exceptions are not made for the CB ThreatHunter Services.
If "Submit unknown binaries for analysis" is enabled, all traffic goes through CB ThreatHunter Device Services before it is routed to Predictive Security Cloud (PSC). The PSC only uses third-party vendor, Avira Operations GmbH & Co. KG (“Avira”), as a subprocessor to assist with the threat analysis. The sensor will never directly communicate with Avira, so there are no additional network changes required.
To determine whether the agent is "onsite" or "offsite" the sensor sends a ICMP echo to see if the each DNS suffix address is reachable. In this case you may observe outbound connections to your Domain Controllers from the Sensor Service (RepMgr).
Some third party products (e.g. McAfee EPO Gateway) may attempt to validate the CB ThreatHunter server certificate and terminate the connection due to a name mismatch between the certificate issued to the CB ThreatHunter Login URL and Service that the CB ThreatHunter Sensor is connected to. In this event of this situation, the third party must be configured to not validate the domain certificate.