Carbon Black Cloud: Will attempted inbound connections to closed ports show in the Console?
Article ID: 290570
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
If an external/remote host attempts to connect to a local host (with the Sensor installed) via a port that is closed on the local host, will the attempted connection show up in the Console?
Environment
- Carbon Black Cloud Console: All Versions
- Endpoint Standard (formerly CB Defense, standalone or combined)
- Enterprise EDR (formerly CB ThreatHunter, standalone or combined)
- Carbon Black Cloud (Windows/macOS/Linux) Sensor: All Versions
- Linux: All Supported Versions
- macOS: All Supported Versions
- Microsoft Windows: All Supported Versions
Resolution
No. The Carbon Black Cloud Sensor only monitors and reports on connections which have been established and will not show attempted inbound connections to a closed port.
Example: remoteHost (without Sensor) attempts to connect to localHost (with Sensor) via localHost port 23 (Telnet) which has been closed No connection from remoteHost to localHost:23 will be visible in Console as network connection/netconn was not established
Additional Information
- Inbound connections only show in Console if established
- Attempted connection to closed port is never established
- Outbound connections from endpoint with Sensor to remote hosts will all be shown in Console
Feedback
Yes
No
Powered by
