• An new installation or upgrade from an earlier versions of the Windows Sensor to Windows Sensor version 7.4.0 is failing to connect
• C:\Windows\Carbonblack\sensor.log shows cert pinning errors

  Server cert pinning failed!!!! (Incoming Server Cert Thumbprint: "6F9658BEDF03F82CFF866ABC2A156444A8F89F18")

• Hosted EDR: All Versions
• EDR Sensor: 7.4.0
• Microsoft Windows

A change in the way the sensor sends header information and the configurations for HEDR make Nginx return the WebUI certificate instead of the Sensor to Server Certificate, causing the handshake to fail.

Please reach out to support if you have many sensors affected. Support can configure the HEDR server to use the sensor to server certificates similar to a default EDR on-prem instance. The self signed certificate will cause a "this site is unsafe" message in the browser while this change is enabled. This can be done temporarily to allow the sensors to connect up and downgrade to 7.3.2 or another version of your choice.

1. Please make sure to set your sensor groups upgrade policy to upgrade to latest or specific version. 
2. Groups that have custom site throttling settings that limit the package download can result in slow downgrade and upgrades, please keep this in mind as the downgrade can fail if throttling is set too low. 
3. Give support an estimated time you would like this change live. The conversion will not create downtime

If this temporary workaround to downgrade sensors is not an option for your company, the sensor will need to be uninstalled and a 7.3.2 or lower version will need to be installed until this can be fixed. 

• The 7.4.0 Windows sensor has been pulled from HEDR instances until this issue is corrected. Please use 7.3.2 sensors for now. 
• Users will experience a "this site is not safe" and must click to proceed, this is due to the use of the self signed cert
• Logging in has a spinning wheel or shows a message instead of the login boxes, this is due to caching of the CA signed certificate. Clearing cache and restarting the browser or using incognito mode will allow the user to log in. User can confirm which certificate it is by checking the lock next to the URL
• WebUI Message:

  You cannot visit <server> right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later

  1. Go to chrome://net-internals/#hsts
  2. Type in your instances FQDN into the "Delete domain security policies" section. Example - Domain: myserver.my.carbonblack.io
  3. You will now be able to accept the