Sensor Communication Blocked By CRL Checks And Cannot Reinstall Sensor
search cancel

Sensor Communication Blocked By CRL Checks And Cannot Reinstall Sensor

book

Article ID: 285042

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

  • Endpoint Standard Sensor not able to connect to CBC
  • SChannel errors show in Event Viewer Application Logs
  • The Firewall is not configured to allow communication for CRL checking
  • A Wireshark/pcap will show a 15-16 second delay between "client hello" and "server hello" indicating a the 15-second CRL timeout has occurred. 

Environment

  • Endpoint Standard Sensor: 3.3. and later versions
  • Carbon Black Cloud Console: All Versions
  • Microsoft Windows: All Supported Versions

Cause

CRL checking by the Sensor is being blocked

Resolution

Options:

  1. For sensor 3.8.0.722 and higher review How to Adjust CRL checking for Best Effort 
  2. Sensor 3.4.0.925 and higher
    1. Upgrade Sensor to 3.4.0.925 or higher if using an older sensor version
    2. Put the Sensor in Bypass mode
    3. Locate your cfg.ini file using this KB
    4. Edit the file cfg.ini with this line at the end of file
      CurlCrlCheck=false
    5. Save and close cfg.ini 
    6. Load changes
      "C:\Program Files\Confer\RepCLI.exe" updateconfig
    7. Bring Sensor out of Bypass
    8. Check PSC Console for normal sensor communications, like check-ins and events

Additional Information