Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Sensor not connecting via proxy/firewall

Carbon Black Cloud: Sensor not connecting via proxy/firewall

Environment

  • Carbon Black Cloud Windows Sensor: Version 3.3.x.x and Higher
  • Microsoft Windows: All Supported Versions
  • Network Proxy and/or Firewall

Symptoms

  • Endpoint Standard sensor fails to install
  • Endpoint Standard sensor stops checking in to the console
  • The following error can be observed in the confer logs 
    http: schannel: next InitializeSecurityContext failed: Unknown error (0x80092013) - The revocation function was unable to check revocation because the revocation server was offline
  • This issue may also occur in environments without a proxy
  • This issue may occur on select machines while others with the same network configuration are able to communicate

Cause

  • CRL (Certificate Revocation List) checks are performed on a per application basis
  • The 3.3.x.x and higher sensor relies on Windows to execute a CRL check
  • The CRL traffic generated by Windows needs to be allowed
  • This traffic is attempting to access the ocsp.godaddy.com and crl.godaddy.com domains

Resolution

Depending on the environment, there are multiple options to allow this traffic not limited to but including the following general steps.  Specific steps will depend on environment configuration.

 
  • Configure the Winhttp service on the affected machines to utilize the proxy for Windows CRL checks
or
  • Configure the proxy or firewall to allow CRL traffic
or
  • Allow port 80 traffic to crl.godaddy.com and ocsp.godaddy.com through the proxy or firewall
or

Additional Notes

  • Disabling CRL checking may open up devices to man in the middle attacks if the following criteria are met:
    1. Carbon Black Cloud revokes a certificate. To date, this has never happened.
    2. An attacker leverages the revoked certificate for a man in the middle attack
  • The minimum requirement to resolve this issue is to allow CRL check traffic to the crl.godaddy.com and ocsp.godaddy.com domains as noted in the last option listed under Resolution
  • The crl.godaddy.com and ocsp.godaddy.com domains utilize OCSP (Online Certificate Status Protocol) and Certificate Revocation List (CRL) checks to validate the sensor's install certificate
  • CAPI2 logging can be enabled on the affected device to provide further insight into CRL traffic
  • If the issue is not resolved with the above configuration changes or only occurs on a subset of machines with the same network configuration, please open a support case

Related Content


Was this article helpful? Yes No
75% helpful (3/4)
Article Information
Author:
Creation Date:
‎11-27-2018
Views:
10967