App Control: Why Are Agents Reaching Out to Online Network Locations?
Article ID: 286633
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
Why does App Control randomly reach out to online network locations?
Environment
- App Control Agent: All Supported Versions
- App Control Server: All Supported Versions
Resolution
- The Agent is designed to utilize the Windows Cryptographic API to validate certificates used to sign files.
- Regardless of whether Agent-based certificate revocation checks are enabled, the App Control Server validates certificates in its inventory on a recurring basis to make sure they have not been revoked. This validation generally occurs on a weekly basis and involves downloading Certificate Revocation Lists (CRLs) from Registration Authorities, or making Online Certificate Status Protocol (OCSP) calls to OCSP responders.
- This communication by the Agent/Server will require the endpoint communicating with theĀ Certificate Authority (CA).
- The URL and Port combination required for this communication is determined by the CA and specified in theĀ CRL Distribution Point.
Additional Information
- By default the Agent initiates a request to validate the certificates on the endpoint every 24 hours.
- If necessary, the Windows CAPI2 Logging can be configured to verify this is initiated by the Agent.
- If the endpoint is unable to complete these certificate verifications the Agent might block execution of software by Approved Publishers.
- More information on this can be found in the User Guide chapter, "Approving and Banning Software".
Feedback
Yes
No
Powered by
