Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: How To Troubleshoot Sensor Communication Issues

Carbon Black Cloud: How To Troubleshoot Sensor Communication Issues

Environment

  • Carbon Black Cloud Sensor:  All versions
  • Apple macOS: All Supported Versions
  • Linux: All Supported Versions
  • Microsoft Windows: All Supported Versions

Objective

General troubleshooting guide for Sensor communication issues with Carbon Black Cloud services

Resolution

  1. Do the offline sensors all show the last check-in time as the same day/hour?  That points to a potential infrastructure change - usually networking related -  for instance a firewall ACL change, a GPO change, a new proxy or proxy password change, etc.   Another possibility is a newly implemented zero trust solution and the traffic to Carbon Black needs to be bypassed by the solution.
  2. Test network connection to our services by following these docs:
    1. Windows Connectivity Guide: Carbon Black Cloud: How to Test Client Connectivity to CBC Backend (Windows)
    2. Mac/Unix Connectivity Guide: Carbon Black Cloud: How to Test Client Connectivity to CBC Backend (Mac/Linux)
  3. Do all the problem systems belong to the same subnet?  That also points to a likely networking change
  4. Ensure that all firewall and proxy settings are correct.  Make sure that the certificate revocation (CRL) checks to GoDaddy can go through, unless you have disabled CRL checks.  Make sure the target can be resolved in DNS.  Have there been any changes to the system hostfile?
    1. Carbon Black Cloud: What Ports must be opened on the Firewall and Proxy Servers?
    2. Carbon Black Cloud: How To Configure Sensor Not To Require CRL Checks 
  5.  If the above look good, what do the logs say?
    1. The c:\program files\confer\confer.log shows current attempts to connect to our cloud services.  It will iterate through several attempts to connect to the Carbon Black services in a particular order.  Look for log entries around the same time as a “cloud hello” log entry
      1. Endpoint Standard: What is the order of operations for how Endpoint Standard Sensors connect to clou...
  6. Check the install logs, which detail the sensor registration process, including DNS issues, etc.  Note that if the sensor(s) have previously registered and appear in the console, this may not help much, but can offer some insight as to what previously was set at install.
    1. Carbon Black Cloud: How to Troubleshoot Sensor Installation Issues
  7. Is there an in-line SSL inspection device being used, for instance BlueCoat?  Carbon Black services use certificate pinning, so SSL decryption on our traffic cannot be used, or the connection will be rejected
    1. Carbon Black Cloud: Is SSL Inspection Between the Sensor and the Backend Supported?
  8. Are the GoDaddy root certificates installed?
    1. Carbon Black Cloud: Sensor fails to install due to removed Root Certificate Authority
    2. CB Defense: Why Are Godaddy's OCSP And CRL Domains Required When Installing A 3.3 + Sensor?
  9. Is it possible that there are old records from a re-registered, reimaged, VDI or decomissoined device?
    1. If a system is re-registered (repcli reregister) it will get a new unique Device ID, and a new record will be generated for the sensor.  The old record will not be deleted, and will still show "Active" for 30 days.  The old record also has to be marked as deregistered before it will be able to be deleted, either manually or automatically. . This can lead to multiple records in the back-end database.
      1. Carbon Black Cloud: How to Get Started With RepCLI     
    2. A VDI system needs special setup or you will get duplicate records
      1. Installing Sensors on Endpoints in a VDI Environment
      2. https://community.carbonblack.com/t5/Knowledge-Base/Endpoint-Standard-How-to-Fix-Duplicate-Device-ID...
    3. Devices that are decommissioned need to be removed from the console, unless the sensor is uninstalled and can communicate with our cloud services at the time of uninstall.  During an uninstall, the sensor will attempt to contact our back-end services and de-register itself.  Note that the record will still be in the console and will be listed as deregistered.  The record can then be manually or automatically deleted.
    4. If a system is reimaged, and the sensor was not uninstalled before the reimage, the sensor will show as “Active” for 30 days from last communication to our cloud services.  Then they will show as “inactive”.  When a machine is reimaged, the sensor on the new image will get a unique Device ID when it registers. 
      1. Carbon Black Cloud: How To Uninstall/Deregister Sensors From the Web Console
  10. Export all your sensors data from the console to a csv, and make a pivot table in Excel to locate any duplicate hostnames.
  11. Is Auto-Delete enabled?  You may not have the Auto Delete setting enabled
    1. Cb Defense: Deregistered Sensor FAQ  

This article should help with 90% of communication issues.  If this does not help, please open a case and gather a sensor diagnostic and send the resulting file in to CB Support. 
  1. Carbon Black Cloud: How To Collect Sensor Logs Locally (Windows)
  2. Carbon Black Cloud: How To Collect Sensor Logs Locally (Mac)
  3. Carbon Black Cloud: How to Collect Sensor logs locally (Linux)

Related Content

Carbon Black Cloud: How to Test Client Connectivity to CBC Backend (Windows)
Carbon Black Cloud: How to Test Client Connectivity to CBC Backend (Mac/Linux)
Carbon Black Cloud: What Ports must be opened on the Firewall and Proxy Servers?
Carbon Black Cloud: How To Configure Sensor Not To Require CRL Checks
Endpoint Standard: What is the order of operations for how Endpoint Standard Sensors connect to clou...
Carbon Black Cloud: How to Troubleshoot Sensor Installation Issues
Carbon Black Cloud: Is SSL Inspection Between the Sensor and the Backend Supported?
CB Defense: Why Are Godaddy's OCSP And CRL Domains Required When Installing A 3.3 + Sensor?
Carbon Black Cloud: How to Get Started With RepCLI
Installing Sensors on Endpoints in a VDI Environment
Carbon Black Cloud: How To Uninstall/Deregister Sensors From the Web Console
Cb Defense: Deregistered Sensor FAQ
Carbon Black Cloud: How To Collect Sensor Logs Locally (Windows)
Carbon Black Cloud: How To Collect Sensor Logs Locally (Mac)
Carbon Black Cloud: How to Collect Sensor logs locally (Linux)

Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-29-2021
Views:
1136
Contributors