Remediating ManifestDownloadFailure alarms (Windows)
search cancel

Remediating ManifestDownloadFailure alarms (Windows)

book

Article ID: 285081

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Provide steps for correcting issues for Windows Sensors with downloading of content manifest data from content.carbonblack.io after receiving a related Alert

Environment

  • Carbon Black Cloud Console: All Versions
    • Endpoint Standard
    • Enterprise EDR
    • Audit & Remediation
    • Workload
  • Carbon Black Cloud Sensor: 3.6.0.x and Higher
  • Microsoft Windows: All Supported Versions

Resolution

  1. Check access to content.carbonblack.io from endpoint
  2. Verify that any configured proxy or firewall allows outbound (endpoint to cloud) communication
    URL Port Direction SSL Inspection
    content.carbonblack.io TCP/443 Outbound Disabled
  3. If not corrected above, verify at least one of the supported TLS cipher suites is enabled via PowerShell
    1. Check enabled cipher suite by name 
      C:\> Get-TlsCipherSuite -Name <Cipher_Suite_Name>
If nothing is returned the cipher suite is not enabled

Example with TLS 1.2/FIPs compliant cipher suite
C:\> Get-TlsCipherSuite -Name TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    2. Check all enabled cipher suites 
      C:\> Get-TlsCipherSuite | foreach {$_.Name}
    3. Enable cipher suites 
      C:\> Enable-TlsCipherSuite -Name <Cipher_Suite_Name>

Example with TLS1.2 and FIPs compliant Cipher Suite
C:\> Enable-TlsCipherSuite -Name TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  4. Check status of Manifest downloads
  5. If the count of ManifestDownloadFailure alarms continues to increase and/or 'Last Manifest Content Update Time' does not get set or updated, please open a case with Carbon Black Technical Support and provide 
    Org Key
Hostname
Verification of access from step 1
Configuration information of firewall/proxy exclusion from step 2
Firewall/proxy logs with any errors in communicating with content.carbonblack.io
Output of step 4 above

Additional Information

  • There is no need to perform these steps unless directed to do so by a CB Analytics Alert in the Carbon Black Cloud Console or by a member of VMware Carbon Black Technical Support
  • If using 3rd Party Apps/Software to manage your Cipher Suites, please follow any and all Vendor guidance
  • If the alert is older than 24 hours there is no action needed as there are no devices reporting the alarm
Powered by Wolken Software