Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud : Sensor reported Established connection while proxy logs indicate connection was blocked.

Carbon Black Cloud : Sensor reported Established connection while proxy logs indicate connection was blocked.

Environment

  • Carbon Black Cloud Console: All Versions

Symptoms

The console shows successful outgoing sensor internet (browser)  connections but the proxy logs show that it was blocked by the proxy.

Cause

The sensor sees a successful TCP connection (HTTP) in that it sees a full TCP connection rather than a deny/drop/reset from the remote device, the proxy.

The browser makes a complete TCP connection to the proxy but the proxy then sent a deny message (HTTP not TCP) back to the browser so the user can see the site was blocked. Hence, from our sensor's perspective there was a connection to that "site", remembering that the sensor is going to treat the proxy as a pseudo transparent device, i.e. it sees the successful TCP connection for a browser request to a remote server when it's actually a successful request to the proxy.

Resolution

There is no resolution to this as we do not have application layer visibility which would be able to identify that the connection was blocked at the proxy

Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎12-06-2021
Views:
491
Contributors