Why Do the Agents & Server Seem to be Reaching Out to Unknown IP Addresses?
book
Article ID: 286771
calendar_today
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
Why are the Agents and the Server seem to be reaching out to unknown IP Addresses?
Environment
App Control Server: All Supported Versions
App Control Agent: All Supported Versions
Microsoft Windows: All Supported Versions
Resolution
This will occur when the Server or Agent uses the Microsoft CrytoAPI to perform local certificate and publisher validation requests. This is expected behavior.
Additional Information
The App Control Server will also reach out in order to verify certificate information once per week to various CRLs
If needed Capi logging can be enabled per this article to identify CryptoAPI traffic
Note: Regardless of whether agent-based certificate revocation checks are enabled, the Carbon Black
App Control Server validates certificates in its inventory on a recurring basis to make
sure that they have not been revoked. This validation generally occurs on a weekly basis and
involves downloading certificate revocation lists (CRLs) from registration authorities or making
Online Certificate Status Protocol (OCSP) calls to OCSP responders. These downloads can involve
a variety of sites in a variety of countries.
Server-based validation checks inform administrators when the status of a certificate changes,
but they do not affect enforcement of rules. Enable agent-based revocation checks if you want
revocations to affect rule behavior.