Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Environment

EDR Server: All Supported Versions
EDR Sensor: All Supported Versions

Symptoms

Sensors show offline in console
Sensor.log shows HTTP 400 error code for communication
Sensorcomms.log shows HTTP 400 error code for registration and eventlog submissions

Cause

HTTP 400 is a 'Bad Message' rejection error from the NGINX web server, because the SSL certificates are not being authenticated succesfully.

Resolution

Validate the registry key HKLM > Software > CarbonBlack > Config has the following set correctly:
1. SensorBackendServer key must use HTTPS and a validate DNS name or IP address and port
2. SensorClientCert key must match the Sensor Group specific cert in the sensor_client_certs PSQL table

psql -d cb -p 5002 -c "select * from sensor_client_certs;" &> /tmp/sensor_client_certs.csv

Additional Notes

Examples of a valid SensorBackendServer value: https://1.2.3.4:443 or https://servername:443
Newer versions of the sensor no longer store the cert in the registry and have a certficate store

Related Content

EDR: How to Revoke a Sensor Group Certificate

Article Information

Author:

Creation Date:

‎09-09-2020

Views:

1430

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.