Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR Hosted: Windows legacy OS sensors not connecting to EDR Hosted Server

EDR Hosted: Windows legacy OS sensors not connecting to EDR Hosted Server

Environment

  • EDR Hosted: All Versions
  • EDR Sensor: 6.2.1 and higher
  • Microsoft Windows: XP, Vista, Server 2003, Server 2008

Symptoms

  • Legacy OS sensors do not connect to EDR Hosted
  • Hresult in sensorcomms.log: 0x80072efe

Cause

Legacy Microsoft Operating Systems do not support the WinHttp Sha2 certificate

Resolution

  • For capable environments, such as Server 2008, enable TLS 1.2 communication
  • All other environments will have to use a sensor in the 6.1.x branch

Additional Notes

  • TLS 1.0 is susceptible to man in the middle attacks with vulnerabilities such as BEAST, POODLE, DROWN, etc. Due to these vulnerabilties, TLS 1.0 cannot be enabled on Cloud environments. 
  • In order to successfully establish a connection with the EDR Hosted Server safely, consider moving to a newer OS that supports a more recent cryptographic protocol (TLS 1.2)
  • 6.2.1 Sensors and above utilize WinHttp connection over the previously used Curl. Connections using TLS 1.0 will not be able to connect on these sensor versions
  • WinHttp connection is using a SHA2 certificate for communication to the Hosted Server and not supported with Microsoft Windows XP, Vista, and Server 2003

Related Content


Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
974
Contributors