Environment
- Carbon Black Cloud Console: All Versions
- Endpoint Standard
- Enterprise EDR
- Audit & Remediation
- Workload
- Carbon Black Cloud Sensor: 3.6.0.x and Higher
- Microsoft Windows: All Supported Versions
Objective
Provide steps for correcting issues for Windows Sensors with downloading of content manifest data from
content.carbonblack.io after receiving a
related Alert
Resolution
- Check access to content.carbonblack.io from endpoint
- Verify that any configured proxy or firewall allows outbound (endpoint to cloud) communication
URL | Port | Direction | SSL Inspection |
---|
content.carbonblack.io | TCP/443 | Outbound | Disabled |
- If not corrected above, verify at least one of the supported TLS cipher suites is enabled via PowerShell
- Check enabled cipher suite by name
C:\> Get-TlsCipherSuite -Name <Cipher_Suite_Name>
If nothing is returned the cipher suite is not enabled
Example with TLS 1.2/FIPs compliant cipher suite
C:\> Get-TlsCipherSuite -Name TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- Check all enabled cipher suites
C:\> Get-TlsCipherSuite | foreach {$_.Name}
- Enable cipher suites
C:\> Enable-TlsCipherSuite -Name <Cipher_Suite_Name>
Example with TLS1.2 and FIPs compliant Cipher Suite
C:\> Enable-TlsCipherSuite -Name TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- Check status of Manifest downloads
- If the count of ManifestDownloadFailure alarms continues to increase and/or 'Last Manifest Content Update Time' does not get set or updated, please open a case with Carbon Black Technical Support and provide
Org Key
Hostname
Verification of access from step 1
Configuration information of firewall/proxy exclusion from step 2
Firewall/proxy logs with any errors in communicating with content.carbonblack.io
Output of step 4 above
Additional Notes
- There is no need to perform these steps unless directed to do so by a CB Analytics Alert in the Carbon Black Cloud Console or by a member of VMware Carbon Black Technical Support
- If using 3rd Party Apps/Software to manage your Cipher Suites, please follow any and all Vendor guidance
- If the alert is older than 24 hours there is no action needed as there are no devices reporting the alarm
Related Content