logo

Knowledge Base

Access official resources from Carbon Black experts

Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Hosted EDR: Windows Sensor Version 7.4.0 Fails to Connect with Cert Pinning Error in Sensor.log

Hosted EDR: Windows Sensor Version 7.4.0 Fails to Connect with Cert Pinning Error in Sensor.log

Environment

  • Hosted EDR: All Versions
  • EDR Sensor: 7.4.0
  • Microsoft Windows

Symptoms

  • An new installation or upgrade from an earlier versions of the Windows Sensor to Windows Sensor version 7.4.0 is failing to connect
  • C:\Windows\Carbonblack\sensor.log shows cert pinning errors 
    Server cert pinning failed!!!! (Incoming Server Cert Thumbprint: "6F9658BEDF03F82CFF866ABC2A156444A8F89F18")

Cause

A change in the way the sensor sends header information and the configurations for HEDR make Nginx return the WebUI certificate instead of the Sensor to Server Certificate, causing the handshake to fail.

Resolution

Please reach out to support if you have many sensors affected. Support can configure the HEDR server to use the sensor to server certificates similar to a default EDR on-prem instance. The self signed certificate will cause a "this site is unsafe" message in the browser while this change is enabled. This can be done temporarily to allow the sensors to connect up and downgrade to 7.3.2 or another version of your choice.
  1. Please make sure to set your sensor groups upgrade policy to upgrade to latest or specific version. 
  2. Groups that have custom site throttling settings that limit the package download can result in slow downgrade and upgrades, please keep this in mind as the downgrade can fail if throttling is set too low. 
  3. Give support an estimated time you would like this change live. The conversion will not create downtime

If this temporary workaround to downgrade sensors is not an option for your company, the sensor will need to be uninstalled and a 7.3.2 or lower version will need to be installed until this can be fixed. 

Additional Notes

  • The 7.4.0 Windows sensor has been pulled from HEDR instances until this issue is corrected. Please use 7.3.2 sensors for now. 
  • Users will experience a "this site is not safe" and must click to proceed, this is due to the use of the self signed cert
  • Logging in has a spinning wheel or shows a message instead of the login boxes, this is due to caching of the CA signed certificate. Clearing cache and restarting the browser or using incognito mode will allow the user to log in. User can confirm which certificate it is by checking the lock next to the URL
  • WebUI Message: 
    You cannot visit <server> right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later
    1. Go to chrome://net-internals/#hsts
    2. Type in your instances FQDN into the "Delete domain security policies" section. Example - Domain: myserver.my.carbonblack.io
    3. You will now be able to accept the 

Related Content


Labels (1)
Labels:
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎03-14-2023
Views:
496
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.