Carbon Black Cloud Endpoint Standard (formerly Cb Defense)Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Provide steps for correcting issues for Windows Sensors with downloading of content manifest data from content.carbonblack.io after receiving a related Alert
C:\> Get-TlsCipherSuite -Name <Cipher_Suite_Name>
If nothing is returned the cipher suite is not enabled
Example with TLS 1.2/FIPs compliant cipher suite
C:\> Get-TlsCipherSuite -Name TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Check all enabled cipher suites
C:\> Get-TlsCipherSuite | foreach {$_.Name}
Enable cipher suites
C:\> Enable-TlsCipherSuite -Name <Cipher_Suite_Name>
Example with TLS1.2 and FIPs compliant Cipher Suite
C:\> Enable-TlsCipherSuite -Name TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
If the count of ManifestDownloadFailure alarms continues to increase and/or 'Last Manifest Content Update Time' does not get set or updated, please open a case with Carbon Black Technical Support and provide
Org Key
Hostname
Verification of access from step 1
Configuration information of firewall/proxy exclusion from step 2
Firewall/proxy logs with any errors in communicating with content.carbonblack.io
Output of step 4 above
Additional Information
There is no need to perform these steps unless directed to do so by a CB Analytics Alert in the Carbon Black Cloud Console or by a member of VMware Carbon Black Technical Support
If using 3rd Party Apps/Software to manage your Cipher Suites, please follow any and all Vendor guidance
If the alert is older than 24 hours there is no action needed as there are no devices reporting the alarm