EDR: Process analysis page is returning: Remote IP: 0.0.0.0
book
Article ID: 288248
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Process analysis / Network connection event (netconn) is showing the remote IP address as 0.0.0.0.
There is a proxy between the Sensor and the CB Response Server.
Environment
EDR Windows Sensor: All Supported Versions
Microsoft Windows: All Supported Versions
Cause
IPv4 connections performed via a proxy server show up on the Server UI with their remote IP field empty. The remote ports and domain names are getting populated correctly however.
Resolution
This will be addressed in a future server side release version and is tracked via internal ticket CB-25085. This page will be updated with the server side release version once it is known.
Additional Information
This issue is reproducible across all of our supported sensor versions.
Reproduction steps (for Win10):
Have your test VM with the sensor installed (6.1.6 for our test).
Open the Win 10 Settings window.
Go to Network & Internet --> Proxy
Under 'Manual proxy setup' toggle on the 'Use a proxy server' switch.
Go to the server UI and search for the browser process you just ran.
Current Result: The netconn events for all of the connections done are correctly populating all local and proxy metadata, however the remote IP for all connections is always reported as '0.0.0.0'