We noticed that our endpoints are not showing in Red Canary. We installed the Sensor on the endpoint and the installation went through successfully.
Red Canary + Carbon Black EDR
When the Carbon Black EDR Sensor gets installed on an endpoint, one of the first things it needs to be able to do is communicate with the Carbon Black Server. After the initial Sensor installation, If communication with the CB Server fails for any reason the endpoint will not show up in Red Canary.
There can be a number of reasons why the Sensor may not be communicating with the CB Server, but one of the first things that you should check is the endpoint's DNS settings.
If the endpoint's DNS is failing to resolve the Carbon Black Server Checkin URL, the Sensor will not be able to communicate with the Server.
Before you can run any DNS test, you need to know is what the Carbon Black Server Checkin URL is. To find this information you need to log into your Red Canary. Once you are inside Red Canary, perform the following steps:
- Click on your User icon (top right) and select the "Getting Help" link.
- Then scroll down to the "Important Addresses" section and take note of the Cb Response Console and Cb Response Sensor Checkin URLs and IP addresses.
Now that we have the correct Sensor communication details, we can perform a DNS test on our endpoint. For the Windows operating system, the quickest way to test your DNS is by using the nslookup command. In order to run the nslookup test you will need to perform the following steps:
- In Windows 10, click on the start menu icon and type "CMD" in the search bar. Then right click on the "Command Prompt" icon in the search results and choose "Run as Administrator"
- Next, you will type the following command: "nslookup <URL of CB Sensor Checkin>
- Example: if the URL is https://mycompany.cb.my.redcanary.co, then you would type the following command: nslookup mycompany.cb.my.redcanary.co (then hit enter).
- The output of the command should look similar to the below screenshot. In the "Address Field" under the "Non-authoritative answer" section you should see the IP address that was listed next to the URL in the Red Canary > Getting Help > Important Addresses. If you see any other IP address listed there, then there is a problem with your DNS resolution.
If you do find that your DNS is resolving to the wrong IP address, then you will need to take the steps necessary to troubleshoot the problem.
If the endpoint is resolving to the correct IP address, then here are some additional steps you can take to ensure your Sensors are functioning properly:
1) If you are running a 3rd party anti-virus program, make sure that all of the Carbon Black Recommended AV Exclusions are in place.
2) Make sure your firewall is not blocking either of the URLs or the IP addresses that were listed in the Red Canary > Getting Help > Important Addresses page.
3) If you are running any kind of SSL inspection, make sure you bypass the Carbon Black Server IP address, otherwise the Sensor certificate validation will fail and the Sensor will not be able to communicate with the CB Server. NOTE: Due to certificate pinning, communication is not supported through traffic inspection proxies, or any other device that would affect SSL certificates.
4) Make sure you are running a compatible Sensor version for the operating system you are running. Please review the Carbon Black Supported Sensors Version Grid and look for your operating system.
5) If you are running a Proxy Server make sure you have the correct settings in place for your Sensors. For Windows Sensors you can review the following Carbon Black article: How to Setup Windows Sensors for Proxy Communication.
6) Are you deploying to a VDI environment? If so, please be sure to follow the proper VDI deployment settings for your operating system. See our article Configuring VMware Carbon Black EDR Sensors for use with Virtual Desktop Infrastructure (VDI)
7) If your are still having problems with your Sensors collect the Sensor diagnostic files from the endpoint and open a support case.
(a) For Windows please see the following article: How to Collect Sensor Diagnostics (Windows).
(b) For macOS please see the following article: How to Collect Sensor Diagnostics (Mac).
8) Initial processing of endpoint data by Red Canary is done every 30 minutes. This means that it can take up to 30 minutes for Red Canary to determine that there's a new endpoint added to the Carbon Black server. If anything interferes with that first endpoint scan, then it won't be detected until the second scan, which would could delay the new endpoint being seen for up to an hour. If an endpoint takes longer than an hour for the initial check-in, then create a Support ticket and securely share Carbon Black sensor logs for the new endpoint.