Disabling Certificate Revocation Checks
search cancel

Disabling Certificate Revocation Checks

book

Article ID: 289058

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

How to disable the certificate revocation OSCP requests to CRL locations

Environment

  • App Control Console: All Supported Versions
  • App Control Agent: All Supported Versions

Resolution

Important Notes:

  • Certificates typically are revoked by the issuing Certificate Authority due to
    • Compromised Encryption Keys
    • Inaccurate information in the Certificate
    • Certificate Owner is no longer deemed as trusted
  • For these reasons, disabling Revocation Checks typically is not recommended for most environments.
  • Initial Revocation Checks run every time a new file is discovered by the Agent
    • In an air-gapped environment (or otherwise very restricted network) repeated failed checks can cause performance issues.
    • In these environments it is recommended to use None
  • Background Revocation Checks run every 24 hours
    • These have very limited performance impacts, even in an air-gapped environment.
    • Typically the option for Cache is recommended even in air-gapped environments.

 

Disable Globally (All Agents)

  1. Log in to the Console and navigate to Settings > System Configuration > Advanced Options
  2. Scroll down to the bottom > click the Edit button > Certificate Options
    • Initial Revocation Check: None 
      • These run every time a new file is discovered.
      • In air-gapped or otherwise very restricted network environments these checks can cause performance issues.
    • Background Revocation Check: Cache or None
      • These run once every 24 hours with limited performance impact
      • it is recommended that the setting stays enabled and set to Network
      • If you really need to disable it, set it to Cache or None

 

Disable Per-Policy or Per-Agent

  1. Log in to the Console and navigate to: https://ServerAddress/Agent_config.php
  2. Click Add Agent Config
    • Name: Disable Initial Revocation Checks
    • Host ID: 0 (or use specific Host ID)
    • Value: 
      cert_chain_flags=0x80000001
    • Platform: Windows
    • Status: Enabled
    • Create For: Select the relevant Policy/Policies where required
  3. Click Save
  4. Add another Agent Config and use the relevant details
    • Name: Disable Background Revocation Checks
    • Host ID: 0 (or use specific Host ID)
    • Value:  
      background_cert_chain_flags=0x8000001
    • Platform: Windows
    • Status: Enabled
    • Create For: Select the relevant Policy/Policies where required
  5. Click Save

Additional Information

  • Options available for cert_chain_flags
    • Network (0x28000001) - If revocation information is not locally available, then use the network to retrieve the revocation status of a certificate
    • Cache (0x8000005) - Use locally cached revocation status information when performing certificate revocation (the network will not be used)
    • None (0x8000001) - Do not perform certificate revocation checking
    • With this option disabled, there will be no updated data if a certificate has been revoked, which could potentially expose the systems to malicious software
  • More information in Tech Docs > User Guide > Approving and Banning Software > By Publisher > Which Certificates Can Approve Files > Revocation Checks
Powered by Wolken Software