Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Cb Protection agent-generated CRL (ocrl) traffic does not appear to follow netsh proxy settings

Cb Protection agent-generated CRL (ocrl) traffic does not appear to follow netsh proxy settings

Version

Cb Protection Agent 7.2.x

Issue

Cb Protection agent calls CertGetCertificateChain to perform CRL checks and build the certificate chain context. This can trigger a network request via WinHTTP to verify revocation status. WinHTTP should honor locally defined proxy settings however the user observes a direct OCSP connection rather than using the designated proxy.

Symptoms

Captured netsh (scenario=InternetClient) and CAPI2 logs show this network connection come into existence.

Cause

On 64-bit Windows machines there are two separate "netsh" commands and settings. In this case, the 64-bit netsh was being set to the proxy.

However Cb Protection is a 32-bit application.

Solution

Once the 32-bit netsh was called as below to point to the proxy server, OCRL calls starting respecting the proxy server settings:

c:\winidows\syswow64\netsh winhttp set proxy myproxy:80

c:\winidows\syswow64\netsh winhttp show proxy

Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎10-10-2016
Views:
520
Contributors