Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Installation fails CRL check without WinHTTP proxy set (3.3.x.x and higher)

Carbon Black Cloud: Installation fails CRL check without WinHTTP proxy set (3.3.x.x and higher)

Environment

  • Carbon Black Cloud Sensor: 3.3.x.x and Higher
    • Audit & Remediation (was CB LiveOps)
    • Endpoint Standard (was CB Defense)
    • Enterprise EDR (was CB ThreatHunter)
  • Microsoft Windows: All Supported Versions
  • Proxy in place and all external network traffic blocked, but not configured for WinHTTP on endpoint

Symptoms

  • Attempted install of Sensor fails overall even though proxy information (PROXY_SERVER) included in install command
  • Sensor record shows up on Endpoints page without OS or Sensor Version data, indicating successful registration but failed install
  • Packet capture shows successful connection with correct Device Services URL but failure connecting to OCSP and CRL URLs
  • No WinHTTP proxy shown via command line
    C:\>netsh winhttp show proxy
    
    Current WinHTTP proxy settings:
    
        Direct access (no proxy server).

Cause

OCSP and CRL traffic is not handled directly by the Sensor or the installer and does not use Proxy parameters specified at install, but is offloaded to the system which requires having WinHTTP set to the Proxy as well

Resolution

Options
  • Ensure WinHTTP is configured to use existing proxy server:port
OR

Additional Notes

  • WinHTTP proxy can be set manually via command line interface (CLI) on individual machines as needed
    netsh winhttp set proxy <proxy>:<port>
  • WinHTTP proxy can be set via Group Policy Object (GPO) in larger environments
  • Setting WinHTTP proxy information may also be possible via proxy-side configuration

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎08-25-2020
Views:
1705
Contributors