Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Endpoints located in the People's Republic of China have install and check-in failures due to GoDaddy URL being blocked during CRL checking operations

Carbon Black Cloud: Endpoints located in the People's Republic of China have install and check-in failures due to GoDaddy URL being blocked during CRL checking operations

Environment

  • Carbon Black Cloud Sensor: All versions located behind People's Republic of China (PRC) Government Firewall (also known as The Great Firewall or GFW)
  • Endpoint Operating System: All supported
  • Carbon Black Cloud Console: All versions

Symptoms

Observing symptoms described in Carbon Black Cloud: Sensor not connecting via proxy/firewall starting from late August/early September of 2023. 

Cause

  • VMware Carbon Black has been notified that the government for the People’s Republic of China will no longer allow access to GoDaddy domains.
  • Since Carbon Black utilizes GoDaddy as a certificate authority this change prevents our Windows sensors from being able to download the latest certificate revocation list (CRL) from crl.godaddy.com.

Resolution

If communication to crl.godaddy.com cannot be re-established, impacted endpoints can re-establish sensor-server communication by disabling CRL checking.
Current workarounds:
  1. For sensor installs 3.4.0.925 and higher, CRL checking can be suppressed using this KB
  2. For sensor installs 3.8.0.722 and higher, CRL Checking can remain enabled and set to best effort but sensor communication continues if the CRL distribution point is unreachable using this KB
  3. For sensor check-ins 3.4.0.925 and higher, CRL checking can be suppressed using this KB
  4. For sensor check-ins 3.8.0.722 and higher, CRL Checking can remain enabled and set to best effort but sensor communication continues if the CRL distribution point is unreachable using this KB

Additional Notes

  • Impacted endpoints will continue to enforce protection; however, sensor-server communication will be lost, updates will no longer be received, and sensor events will not be sent back to the console. Sensor events will continue to accumulate on disk until the event size limit is reached or until the sensor re-establishes communication.
  • Additional information can be found about What are some concerns with disabling the CRL check within the Sensor?
  • There is an enhancement (internal CBC-27235) under consideration for a possible way to address this limitation in a future release.

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎09-01-2023
Views:
1141
Contributors