Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Sensors unable to communicate after registration when Proxy/Firewall inserts its own certificate

Carbon Black Cloud: Sensors unable to communicate after registration when Proxy/Firewall inserts its own certificate

Environment

  • Carbon Black Cloud Console: All Versions
    • Audit & remediation (was CB LiveOps)
    • Endpoint Standard (was CB Defense)
    • Enterprise EDR (was CB ThreatHunter)
  • Carbon Black Cloud Sensor: All Versions
  • Linux: All Supported Versions
  • macOS: All Supported Versions
  • Microsoft Windows: All Supported Versions

Symptoms

  • Sensor able to register with Cloud
  • No subsequent Events are found for Sensor
  • Last Check-In remains close to Registration date and time
  • Packet capture (pcap from Wireshark or similar) at or after install shows Unknown CA
  • Transport Layer Security in pcap shows certificate from Proxy/Firewall provider instead of *.conferdeploy.net

Cause

Proxy/Firewall is inserting its own Certificate, causing communications between Sensor and Cloud to fail

Resolution

One or both of the options below may be done, depending on the configurability of the Proxy/Firewall
  • Change configuration of Proxy/Firewall to prevent insertion of its own Certificates for *.conferdeploy.net
  • Export the Certificate from the Carbon Black Cloud Dashboard and import into Proxy/Firewall

Additional Notes

For guidance on configuration changes specific to a given Proxy/Firewall, please reach out to the vendor of the Proxy/Firewall

Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎11-04-2020
Views:
994
Contributors