Troubleshooting CPE & CVE Sync Issues
search cancel

Troubleshooting CPE & CVE Sync Issues


Article ID: 286592


Updated On:


Carbon Black App Control (formerly Cb Protection)


To troubleshoot Common Platform Enumeration (CPE) and Common Vulnerabilities and Exposures (CVE) sync issues.


  • App Control Server: Version 8.10.2 and Higher


NIST Deprecated the API used by Server versions 8.8.0 - 8.10.0.
An upgrade to Server 8.10.2+ is required to use this feature.


  1. Verify the CPE Applications feature has been fully configured and enabled. 
  2. In Reports > Events add a Filter for Type > Is: CPE Management and review the Errors.
  3. Verify the network requirements to the remote NIST API:
    • If SSL/Packet Inspection is enabled, add an exception for the communication to/from to prevent rejection of modified packets.
    • Use PowerShell from the application server to test communication to the NVD website on Port 443:
      TNC -ComputerName -Port 443
  4. Verify the CPE and CVE settings:
    • Reset the CPE and CVE URLs to the default locations, and attempt a manual sync.
    • If an NVD API Key was specified, try removing the API Key, and attempt a manual sync.
  5. Restart the App Control Reporter service.
  6. Use Postman from the application server to pull sample data from the NIST API (Example with the App Control API).
  7. Reset the CPE Data and download a fresh copy of the NIST CPE Library.

If the issue persists, please:

  1. Start a Wireshark Capture on the application server hosting the Console.
  2. Start the Server High Debug Logging.
  3. Start a manual sync, wait 10 minutes, then capture & provide the resulting logs to Support.

Additional Information

  • This feature is not supported if the App Control Server is installed on Windows Server 2012.
  • This feature relies upon communication between the application server and (by default) the NVD services owned by NIST.
  • By default the delay between API requests for the CPE Sync is 6 seconds (Shepherd Config: CPEDelayBetweenRequests).
  • If an error is encountered on the remote CPE site, this delay is increased to 60 seconds (Shepherd Config: CPEDelayBetweenFailedRequests).