EDR: Process analysis page is returning: Remote IP: 0.0.0.0
search cancel

EDR: Process analysis page is returning: Remote IP: 0.0.0.0

book

Article ID: 288248

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • Process analysis / Network connection event (netconn) is showing the remote IP address as 0.0.0.0.
  • There is a proxy between the Sensor and the CB Response Server.

Environment

  • EDR Windows Sensor: All Supported Versions
  • Microsoft Windows: All Supported Versions

Cause

  •  IPv4 connections performed via a proxy server show up on the Server UI with their remote IP field empty. The remote ports and domain names are getting populated correctly however. 

Resolution

  1. This will be addressed in a future server side release version and is tracked via internal ticket CB-25085. This page will be updated with the server side release version once it is known. 

Additional Information

  • This issue is reproducible across all of our supported sensor versions.
  • Reproduction steps (for Win10):
    • Have your test VM with the sensor installed (6.1.6 for our test).
    • Open the Win 10 Settings window.
    • Go to Network & Internet --> Proxy
    • Under 'Manual proxy setup' toggle on the 'Use a proxy server' switch.
    • Enter the proxy address and port (http://qalabproxy.qalab.local:3128) and click Save.
    • Open any browser and navigate to any site.
    • Go to the server UI and search for the browser process you just ran.
  • Current Result:
    The netconn events for all of the connections done are correctly populating all local and proxy metadata, however the remote IP for all connections is always reported as '0.0.0.0'