App Control: Performance Impacts Due to Certificate Validation
search cancel

App Control: Performance Impacts Due to Certificate Validation


Article ID: 286526


Updated On:


Carbon Black App Control (formerly Cb Protection)


  • Events similar to: Excessive certificate validation Time[5min 1sec] 
  • Extremely slow Agent initialization due to certificate validation failure


  • App Control Agent: All Supported Versions
  • App Control Console: All Supported Versions


Agent running in an air gapped (or otherwise limited Internet) environment cause certificate validation failures which in turn delay the initialization process


Consider disabling Revocation Checks in the Console > System Configuration > Advanced Options.

Additional Information

  • Checking certificates requires that queries be run over the Internet. In an offline environment, online revocation checking will never succeed.
  • OCSP online requests to check for revocation, while resource expensive, are a critical piece that ensures the Agent has the most up to date validity information regarding the certificate in question.
  • If a certificate is compromised and revoked by its author, it is critical that Agents are notified of this change in trust. Without it, new malicious files signed by the compromised certificate could be Approved.
  • For an air gapped environment it is recommended to setup PKI such that Agents can trust the local cached information on the endpoint, or funnel through a network product that can do the caching and revocation checking on behalf of the endpoint without leaving the local network.