Knowledge Base

Yes

Environment

Carbon Black Cloud Windows Sensor: Version 3.3.x.x and Higher
Microsoft Windows: All Supported Versions
Network Proxy and/or Firewall

Symptoms

Endpoint Standard sensor fails to install
Endpoint Standard sensor stops checking in to the console

The following error can be observed in the confer logs

http: schannel: next InitializeSecurityContext failed: Unknown error (0x80092013) - The revocation function was unable to check revocation because the revocation server was offline

This issue may also occur in environments without a proxy
This issue may occur on select machines while others with the same network configuration are able to communicate

Cause

CRL (Certificate Revocation List) checks are performed on a per application basis
The 3.3.x.x and higher sensor relies on Windows to execute a CRL check
The CRL traffic generated by Windows needs to be allowed
This traffic is attempting to access the ocsp.godaddy.com and crl.godaddy.com domains

Resolution

Depending on the environment, there are multiple options to allow this traffic not limited to but including the following general steps. Specific steps will depend on environment configuration.

Options:

Configure the Winhttp service on the affected machines to utilize the proxy for Windows CRL checks
Configure the proxy or firewall to allow CRL traffic
Allow port 80 traffic to crl.godaddy.com and ocsp.godaddy.com through the proxy or firewall
For sensors 3.4.0.925 and higher review Carbon Black Cloud: How To Configure Sensor Not To Require CRL Checks On Install
For sensors 3.8.0.722 and higher review Carbon Black Cloud: How to Adjust CRL checking for Best Effort

Additional Notes

Additional information can be found about What are some concerns with disabling the CRL check within the Sensor?
The minimum requirement to resolve this issue is to allow CRL check traffic to the crl.godaddy.com and ocsp.godaddy.com domains as noted in the last option listed under Resolution
The crl.godaddy.com and ocsp.godaddy.com domains utilize OCSP (Online Certificate Status Protocol) and Certificate Revocation List (CRL) checks to validate the sensor's install certificate
CAPI2 logging can be enabled on the affected device to provide further insight into CRL traffic
If the issue is not resolved with the above configuration changes or only occurs on a subset of machines with the same network configuration, please open a support case

Related Content

Carbon Black Cloud: How to Adjust CRL checking for Best Effort
Carbon Black Cloud: How To Configure Sensor Not To Require CRL Checks On Install
Netsh.exe and ProxyCfg.exe Proxy Configuration Tools - Win32 apps
Carbon Black Cloud: What Ports must be opened on the Firewall and Proxy Servers?
CB Defense: Why Are Godaddy's OCSP And CRL Domains Required When Installing A 3.3 + Sensor?
CB Defense: Will sensors continue to check-in if port 80 is blocked?
Carbon Black Cloud: How To Configure Sensor Not To Require CRL Checks On Install
Carbon Black Cloud: What are some concerns with disabling the CRL check within the Sensor?

Knowledge Base

Carbon Black Cloud: Sensor not connecting via proxy/firewall

Carbon Black Cloud: Sensor not connecting via proxy/firewall

Environment

Symptoms

Cause

Resolution

Additional Notes

Related Content

Audit and Remediation

Carbon Black Cloud

Container

Endpoint Standard

Enterprise EDR

Managed Detection

Managed Detection and Response

Prevention

Workload

Knowledge Base

Carbon Black Cloud: Sensor not connecting via proxy/firewall

Carbon Black Cloud: Sensor not connecting via proxy/firewall

Environment

Symptoms

Cause

Resolution

Additional Notes

Related Content

Thank you for your feedback.

Thank you for your feedback.