Why Do the Agents & Server Seem to be Reaching Out to Unknown IP Addresses?
search cancel

Why Do the Agents & Server Seem to be Reaching Out to Unknown IP Addresses?

book

Article ID: 286771

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Why are the Agents and the Server seem to be reaching out to unknown IP Addresses?

Environment

  • App Control Server: All Supported Versions
  • App Control Agent: All Supported Versions
  • Microsoft Windows: All Supported Versions

Resolution

This will occur when the Server or Agent uses the Microsoft CrytoAPI to perform local certificate and publisher validation requests. This is expected behavior.

Additional Information

  • The App Control Server will also reach out in order to verify certificate information once per week to various CRLs
  • If needed Capi logging can be enabled per this article to identify CryptoAPI traffic
  • The specific URL or port will vary depending on the CRL Distribution Point.
  • More information is available in the User Guide:
    Note: Regardless of whether agent-based certificate revocation checks are enabled, the Carbon Black 
    App Control Server validates certificates in its inventory on a recurring basis to make
    sure that they have not been revoked. This validation generally occurs on a weekly basis and
    involves downloading certificate revocation lists (CRLs) from registration authorities or making
    Online Certificate Status Protocol (OCSP) calls to OCSP responders. These downloads can involve
    a variety of sites in a variety of countries.
    
    Server-based validation checks inform administrators when the status of a certificate changes,
    but they do not affect enforcement of rules. Enable agent-based revocation checks if you want
    revocations to affect rule behavior.