Over time, you will notice some of your endpoints will show up on this list of unmonitored devices (<your_subdomain>.my.redcanary.co/endpoints/inbox). Often times,this indicates that the Carbon Black Response sensor is having difficulty communicating with the Cb Response server. This could be a result of a known bug with the sensor version, a new security control/product being introduced into the environment, or something else.
NOTE: Endpoints that show up on this list are usually a result of sensors being reinstalled (a new sensor ID is issued upon reinstallation). You will just need to decommission the older record in order to remove it from this list.
For systems which have had the sensor installed, but having issues communicating with the server, please try the following:
1. Verify you’re using the most current version of the Cb Response sensor
2. Ensure cb.exe is running (visible to administrators via Task Manager) and the “Carbon Black Sensor” service shows as “Running” in the Services list
3. Ensure that nothing is blocking communications to the CB server at https://cb.<your_subdomain>.my.redcanary.co:443
- There may be a firewall (either host-based or network-based), web filter/proxy, etc. that is preventing SSL communications outbound to the CB server
- DNS resolution must also be properly functioning on the system so the CB server URL can be resolved to the appropriate IP address
4. Visit the above URL using a web browser on the non-reporting system
- You may see an initial error related to the self-signed cert, but if you proceed through the error, you will see a CB login screen if the traffic was permitted
- If you don’t see any response at all, that is likely due to a traffic block
NOTE: If your environment consists of legacy Windows (XP, Vista, Windows 7, Server 2003/2008) please use the v6.1.x branch. If your environment also includes modern Windows (Windows 8.1 + or Server 2008 R2 +) please use the v6.2.x branch. This will ensure proper Cb sensor to Cb server communication since legacy Windows only supports TLS 1.0 and the newer v6.2.x only supports TLS 1.2 or higher.
5. If the above doesn’t help, rebooting is worth a try, if business operations allow.
- There is a known issue where Windows XP/2003 systems sometimes need to be rebooted after sensor installation, but does not apply to Windows 7/2008 and above.
6. When all else fails, please generate a sensor diagnostic for our team to review: