EDR: Sensors offline with HTTP 400 error code
search cancel

EDR: Sensors offline with HTTP 400 error code


Article ID: 289057


Updated On:


Carbon Black EDR (formerly Cb Response)


  • Sensors show offline in console
  • Sensor.log shows HTTP 400 error code for communication¬†
  • Sensorcomms.log shows HTTP 400 error code for registration and eventlog submissions


  • EDR Server: All Supported Versions
  • EDR Sensor: All Supported Versions


  • HTTP 400 is a 'Bad Message' rejection error from the NGINX web server, because the SSL certificates are not being authenticated succesfully.


  1. Validate the registry key HKLM > Software > CarbonBlack > Config has the following set correctly:
    1. SensorBackendServer key must use HTTPS and a validate DNS name or IP address and port
    2. SensorClientCert key must match the Sensor Group specific cert in the sensor_client_certs PSQL table
psql -d cb -p 5002 -c "select * from sensor_client_certs;" &> /tmp/sensor_client_certs.csv


Additional Information

  • Examples of a valid SensorBackendServer value: or https://servername:443
  • Newer versions of the sensor no longer store the cert in the registry and have a certficate store