Carbon Black Cloud: How do I interpret the results of the Audit & Remediation query for TLS settings?
Article ID: 288667
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
How do I interpret the results of the Audit & Remediation query for TLS settings?
Environment
- Carbon Black Cloud: LiveQuery search
Resolution
For the Audit & Remediation query as follows
SELECT reg.key, reg.name, reg.data as Value, CASE WHEN reg.data = 1 THEN 'TLS 1.2 Protocol disabled' WHEN reg.data = 0 THEN 'TLS 1.2 not disabled by default' ELSE 'Registry key not found' END DisabledByDefault FROM registry reg WHERE PATH LIKE 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\DisabledByDefault';the results mean
| 0 | TLS 1.2 is not disabled on this Device |
| 1 | TLS 1.2 is disabled on the Device |
| "Registry key not found" | This OS does not have this registry key by default |
Additional Information
A number of Operating Systems do not have a registry value created for disabling TLS 1.2 as listed in the query but they are shown in the article linked to the FAQ in Related Links. These should show the value of "Registry key not found".
It is much clearer to use the following search terms on Inventory → Endpoints or Inventory → VM Workloads
It is much clearer to use the following search terms on Inventory → Endpoints or Inventory → VM Workloads
tlsVersion:TLSv1 OR tlsVersion:TLSv1.1
Feedback
Yes
No
Powered by
