Why Do the Agents & Server Seem to be Reaching Out to Unknown IP Addresses?
Article ID: 286771
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
Why are the Agents and the Server seem to be reaching out to unknown IP Addresses?
Environment
- App Control Server: All Supported Versions
- App Control Agent: All Supported Versions
- Microsoft Windows; All Supported Versions
Resolution
This will occur when the Server or Agent uses the Microsoft CrytoAPI to perform local certificate and publisher validation requests. This is expected behavior.
Additional Information
- The App Control server will also reach out in order to verify certificate information once per week to various CRLs
- If needed Capi logging can be enabled per this article to identify CryptoAPI traffic
- More information is available in the User Guide:
Note: Regardless of whether agent-based certificate revocation checks are enabled, the Carbon Black App Control Server validates certificates in its inventory on a recurring basis to make sure that they have not been revoked. This validation generally occurs on a weekly basis and involves downloading certificate revocation lists (CRLs) from registration authorities or making Online Certificate Status Protocol (OCSP) calls to OCSP responders. These downloads can involve a variety of sites in a variety of countries. Server-based validation checks inform administrators when the status of a certificate changes, but they do not affect enforcement of rules. Enable agent-based revocation checks if you want revocations to affect rule behavior.
Feedback
Yes
No
Powered by
