EDR Sensor: Windows events take days to check in after fresh install
search cancel

EDR Sensor: Windows events take days to check in after fresh install

book

Article ID: 287787

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • After installation, the sensors may take days to check in to the server.
  • There is a delay in the Event and Binary data.
  • Errors seen in the sensor.log:  
    2019-03-05 14:18:26 (e): WinHttpSendRequest() failed: WinError[0x00002EFD] 
2019-03-05 14:18:26 (e): Unable to complete request from HTTP transaction 
2019-03-05 14:18:26 (w): Failed to registerHTTPCode[2147954429] HrError[0x80072EFD] 
2019-03-05 14:18:26 (i): failed to register HrError[0x80072EFD] 
2019-03-05 14:18:26 (w): Unable to properly synch with server HrError[0x80072EFD] 
2019-03-05 14:18:26 (w): WinHTTP could not connect to backend. Data upload backoff is set for 60 seconds

Environment

  • EDR Sensor: 6.1.X and higher
  • Microsoft Windows: Server 2012, Windows 10

Cause

Possible client-side SSL Inspector/appliance interfering with the sensor communication to the EDR Server.

Resolution

Confirm there are no appliances or firewalls that would interfere with the sensor traffic up to the EDR Server.

Additional Information

  • Translation of the HR errors found:
Facility: 7 (Win32) Code: 12029 (0x00002EFD) 
WinHTTP Error - ERROR_WINHTTP_CANNOT_CONNECT - Returned if connection to the server failed. 

Facility: 7 (Win32) Code: 12030 (0x00002EFE) 
WinHTTP Error - ERROR_WINHTTP_CONNECTION_ERROR - The connection with the server has been reset or terminated, or an incompatible SSL protocol was encountered. For example, WinHTTP version 5.1 does not support SSL2 unless the client specifically enables it.
  • Default port for Sensor/Server communication is 443.
  • From the User Guide on page: 29: "Sensor communication through an SSL intercept/decryption device is not currently supported, even for in-line proxy configurations."
Powered by Wolken Software