Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: How to remediate ManifestDownloadFailure alarms (Windows)

Carbon Black Cloud: How to remediate ManifestDownloadFailure alarms (Windows)

Environment

  • Carbon Black Cloud Console: All Versions
    • Endpoint Standard
    • Enterprise EDR
    • Audit & Remediation
    • Workload
  • Carbon Black Cloud Sensor: 3.6.0.x and Higher
  • Microsoft Windows: All Supported Versions

Objective

Provide steps for correcting issues for Windows Sensors with downloading of content manifest data from content.carbonblack.io after receiving a related Alert

Resolution

  1. Check access to content.carbonblack.io from endpoint
  2. Verify that any configured proxy or firewall allows outbound (endpoint to cloud) communication
    URLPortDirectionSSL Inspection
    content.carbonblack.ioTCP/443OutboundDisabled
  3. If not corrected above, verify at least one of the supported TLS cipher suites is enabled via PowerShell
    1. Check enabled cipher suite by name
      C:\> Get-TlsCipherSuite -Name <Cipher_Suite_Name>
      If nothing is returned the cipher suite is not enabled
      
      Example with TLS 1.2/FIPs compliant cipher suite
      C:\> Get-TlsCipherSuite -Name TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    2. Check all enabled cipher suites
      C:\> Get-TlsCipherSuite | foreach {$_.Name}
    3. Enable cipher suites
      C:\> Enable-TlsCipherSuite -Name <Cipher_Suite_Name>
      
      Example with TLS1.2 and FIPs compliant Cipher Suite
      C:\> Enable-TlsCipherSuite -Name TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  4. Check status of Manifest downloads
  5. If the count of ManifestDownloadFailure alarms continues to increase and/or 'Last Manifest Content Update Time' does not get set or updated, please open a case with Carbon Black Technical Support and provide
    Org Key
    Hostname
    Verification of access from step 1
    Configuration information of firewall/proxy exclusion from step 2
    Firewall/proxy logs with any errors in communicating with content.carbonblack.io
    Output of step 4 above

Additional Notes

  • There is no need to perform these steps unless directed to do so by a CB Analytics Alert in the Carbon Black Cloud Console or by a member of VMware Carbon Black Technical Support
  • If using 3rd Party Apps/Software to manage your Cipher Suites, please follow any and all Vendor guidance
  • If the alert is older than 24 hours there is no action needed as there are no devices reporting the alarm

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎08-06-2021
Views:
10645
Contributors