Carbon Black Cloud : Sensor reported Established connection while proxy logs indicate connection was blocked.
search cancel

Carbon Black Cloud : Sensor reported Established connection while proxy logs indicate connection was blocked.

book

Article ID: 289221

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

The console shows successful outgoing sensor internet (browser)  connections but the proxy logs show that it was blocked by the proxy.

Environment

  • Carbon Black Cloud Console: All Versions

Cause

The sensor sees a successful TCP connection (HTTP) in that it sees a full TCP connection rather than a deny/drop/reset from the remote device, the proxy.

The browser makes a complete TCP connection to the proxy but the proxy then sent a deny message (HTTP not TCP) back to the browser so the user can see the site was blocked. Hence, from our sensor's perspective there was a connection to that "site", remembering that the sensor is going to treat the proxy as a pseudo transparent device, i.e. it sees the successful TCP connection for a browser request to a remote server when it's actually a successful request to the proxy.

Resolution

There is no resolution to this as we do not have application layer visibility which would be able to identify that the connection was blocked at the proxy