Carbon Black Cloud : Sensor reported Established connection while proxy logs indicate connection was blocked.
book
Article ID: 289221
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
The console shows successful outgoing sensor internet (browser) connections but the proxy logs show that it was blocked by the proxy.
Environment
Carbon Black Cloud Console: All Versions
Cause
The sensor sees a successful TCP connection (HTTP) in that it sees a full TCP connection rather than a deny/drop/reset from the remote device, the proxy.
The browser makes a complete TCP connection to the proxy but the proxy then sent a deny message (HTTP not TCP) back to the browser so the user can see the site was blocked. Hence, from our sensor's perspective there was a connection to that "site", remembering that the sensor is going to treat the proxy as a pseudo transparent device, i.e. it sees the successful TCP connection for a browser request to a remote server when it's actually a successful request to the proxy.
Resolution
There is no resolution to this as we do not have application layer visibility which would be able to identify that the connection was blocked at the proxy