Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: How do I interpret the results of the Audit & Remediation query for TLS settings?

Carbon Black Cloud: How do I interpret the results of the Audit & Remediation query for TLS settings?

Environment

  • Carbon Black Cloud: LiveQuery search

Question

How do I interpret the results of the Audit & Remediation query for TLS settings?

Answer

For the Audit & Remediation query as follows
SELECT 

reg.key, 

reg.name, 

reg.data as Value, 

CASE  

WHEN reg.data = 1 THEN 'TLS 1.2 Protocol disabled' 

WHEN reg.data = 0 THEN 'TLS 1.2 not disabled by default'

ELSE 'Registry key not found' END DisabledByDefault 

FROM registry reg WHERE PATH LIKE 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\DisabledByDefault';
the results mean
0TLS 1.2 is not disabled on this Device
1TLS 1.2 is disabled on the Device
"Registry key not found"This OS does not have this registry key by default

Additional Notes

A number of Operating Systems do not have a registry value created for disabling TLS 1.2 as listed in the query but they are shown in the article linked to the FAQ in Related Links. These should show the value of "Registry key not found".

It is much clearer to use the following search terms on Inventory → Endpoints or Inventory → VM Workloads
tlsVersion:TLSv1 OR tlsVersion:TLSv1.1

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎08-05-2022
Views:
71
Contributors