Carbon Black Defense Installation Issues

Content Authoring
21

I worked on this with a different deployment tool, but I bet you have the same issue.

When you run the command as your id, the process will use your proxy settings and when you use BigFix it will use the system, which is probably not set. So in the batch file, you could do the following:

cmd /c netsh winhttp show proxy >> c:\data\setproxy.log 2>&1
cmd /c netsh winhttp set proxy proxy: >> c:\data\setproxy.log 2>&1

start /wait msiexec /qn /i c:\data\installer_vista_win7_win8-64-3.3.0.984.msi /l*vx c:\cb_install.log COMPANY_CODE=

I have to go look at the package again, but I think we reset the proxy after that.

We also put the required entries in the firewall, but it turned out that we missed some because they were not documented at the time. If you check https://community.carbonblack.com/t5/Knowledge-Base/CB-Defense-What-Ports-must-be-opened-on-the-Firewall-and-Proxy/ta-p/36295 it defines all the required urls/ports. For install, the most important are:

ocsp.godaddy.com TCP/80
crl.godaddy.com TCP/80

The MSI log is useless, the one you want is C:\Program Files\Confer\confer.ini.

I do not have a recent log to look for, but from what I recall, it was pretty obvious what was happening.

Martin Carnegie

2 Likes
22

I think I have it almost ‘working’ now (sensor still doesnt show in control panel). However, the log leads me to believe you are correct or there is an issue with the hosted ‘Confer’ service. I will add what you suggested to my .bat files and give it a try as well, great suggestion and the below log would seem to agree with your statement as well so thank you! Also thank you to everyone else that helped, big reason why I love BigFix is the community!

08/16/19 16:43:25: 3c80 0 install_utils: pid 8052, installer version 3.4.0.1047
08/16/19 16:43:25: 3c80 1 install_utils::CheckIfUpdate
08/16/19 16:43:25: 3c80 1 CDeviceRegistration::InitializeNoTest: working dir does not exist: C:\Program Files\Confer
08/16/19 16:43:25: 3c80 1 install_utils::CheckIfUpdate: false
08/16/19 16:43:25: 3c80 1 http: Trying 34.202.95.248…

08/16/19 16:43:25: 3c80 1 http: TCP_NODELAY set

08/16/19 16:43:25: 3c80 1 http: Connected to dev-prod05.conferdeploy.net (34.202.95.248) port 443 (#0)

08/16/19 16:43:25: 3c80 1 http: schannel: SSL/TLS connection with dev-prod05.conferdeploy.net port 443 (step 1/3)

08/16/19 16:43:25: 3c80 1 http: schannel: checking server certificate revocation

08/16/19 16:43:25: 3c80 1 http: schannel: ALPN, offering http/1.1

08/16/19 16:43:25: 3c80 1 http: schannel: sending initial handshake data: sending 207 bytes…

08/16/19 16:43:25: 3c80 1 http: schannel: sent initial handshake data: sent 207 bytes

08/16/19 16:43:25: 3c80 1 http: schannel: SSL/TLS connection with dev-prod05.conferdeploy.net port 443 (step 2/3)

08/16/19 16:43:25: 3c80 1 http: schannel: failed to receive handshake, need more data

08/16/19 16:43:25: 3c80 1 http: schannel: SSL/TLS connection with dev-prod05.conferdeploy.net port 443 (step 2/3)

08/16/19 16:43:25: 3c80 1 http: schannel: encrypted data got 2529

08/16/19 16:43:25: 3c80 1 http: schannel: encrypted data buffer: offset 2529 length 4096

08/16/19 16:43:25: 3c80 1 http: schannel: SSL/TLS connection with dev-prod05.conferdeploy.net port 443 (step 2/3)

08/16/19 16:43:25: 3c80 1 http: schannel: encrypted data got 379

08/16/19 16:43:25: 3c80 1 http: schannel: encrypted data buffer: offset 379 length 4096

08/16/19 16:43:25: 3c80 1 http: schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.

08/16/19 16:43:25: 3c80 1 http: Closing connection 0

08/16/19 16:43:25: 3c80 1 http: schannel: shutting down SSL/TLS connection with dev-prod05.conferdeploy.net port 443

08/16/19 16:43:25: 3c80 1 http: schannel: clear security context handle

08/16/19 16:43:25: 3c80 3 CurlWrapper::ProcessResult: handle id: CProxyServer::TestProxy, libcurl err SSL connect error (35)
08/16/19 16:43:25: 3c80 1 http: Trying 34.202.95.248…

08/16/19 16:43:25: 3c80 1 http: TCP_NODELAY set

08/16/19 16:43:25: 3c80 1 http: Connected to dev-prod05.conferdeploy.net (34.202.95.248) port 54443 (#0)

08/16/19 16:43:25: 3c80 1 http: schannel: SSL/TLS connection with dev-prod05.conferdeploy.net port 54443 (step 1/3)

08/16/19 16:43:25: 3c80 1 http: schannel: checking server certificate revocation

08/16/19 16:43:25: 3c80 1 http: schannel: ALPN, offering http/1.1

08/16/19 16:43:25: 3c80 1 http: schannel: sending initial handshake data: sending 207 bytes…

08/16/19 16:43:25: 3c80 1 http: schannel: sent initial handshake data: sent 207 bytes

08/16/19 16:43:25: 3c80 1 http: schannel: SSL/TLS connection with dev-prod05.conferdeploy.net port 54443 (step 2/3)

08/16/19 16:43:25: 3c80 1 http: schannel: failed to receive handshake, need more data

08/16/19 16:43:45: 3c80 1 http: Operation timed out after 20000 milliseconds with 0 out of 0 bytes received

08/16/19 16:43:45: 3c80 1 http: Closing connection 0

08/16/19 16:43:45: 3c80 1 http: schannel: shutting down SSL/TLS connection with dev-prod05.conferdeploy.net port 54443

08/16/19 16:43:45: 3c80 1 http: schannel: clear security context handle

08/16/19 16:43:45: 3c80 2 CurlWrapper::ProcessResult: handle id: CProxyServer::TestAltPort, libcurl err Timeout was reached (28)
08/16/19 16:43:45: 3c80 1 CProxyServer::DetectProxySetting: GetIEProxyConfig: auto detect
08/16/19 16:43:45: 3c80 1 CProxyServer::DetectProxySetting: ret 12180: likely no autoconfiguration
08/16/19 16:43:45: 3c80 1 install_utils::Register
08/16/19 16:43:45: 3c80 1 CDeviceRegistration::Register: silent installation
08/16/19 16:43:45: 3c80 1 CRegister::Register: no group name
08/16/19 16:43:45: 3c80 1 ProxySettingsStoreCommon::ApplyConnectionSettings: handle id: CRegister::Register, set using cloud alt. port: false, set using proxy: false, proxy , using creds: false
08/16/19 16:43:45: 3c80 1 CRegister::SendRetryRegisterMessage: attempting to connect with detected settings
08/16/19 16:43:45: 3c80 1 http: Trying 34.202.95.248…

08/16/19 16:43:45: 3c80 1 http: TCP_NODELAY set

08/16/19 16:43:45: 3c80 1 http: Connected to dev-prod05.conferdeploy.net (34.202.95.248) port 443 (#0)

08/16/19 16:43:45: 3c80 1 http: schannel: SSL/TLS connection with dev-prod05.conferdeploy.net port 443 (step 1/3)

08/16/19 16:43:45: 3c80 1 http: schannel: checking server certificate revocation

08/16/19 16:43:45: 3c80 1 http: schannel: ALPN, offering http/1.1

08/16/19 16:43:45: 3c80 1 http: schannel: sending initial handshake data: sending 207 bytes…

08/16/19 16:43:45: 3c80 1 http: schannel: sent initial handshake data: sent 207 bytes

08/16/19 16:43:45: 3c80 1 http: schannel: SSL/TLS connection with dev-prod05.conferdeploy.net port 443 (step 2/3)

08/16/19 16:43:45: 3c80 1 http: schannel: failed to receive handshake, need more data

08/16/19 16:43:45: 3c80 1 http: schannel: SSL/TLS connection with dev-prod05.conferdeploy.net port 443 (step 2/3)

08/16/19 16:43:45: 3c80 1 http: schannel: encrypted data got 2529

08/16/19 16:43:45: 3c80 1 http: schannel: encrypted data buffer: offset 2529 length 4096

08/16/19 16:43:45: 3c80 1 http: schannel: SSL/TLS connection with dev-prod05.conferdeploy.net port 443 (step 2/3)

08/16/19 16:43:45: 3c80 1 http: schannel: encrypted data got 379

08/16/19 16:43:45: 3c80 1 http: schannel: encrypted data buffer: offset 379 length 4096

08/16/19 16:43:45: 3c80 1 http: schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.

08/16/19 16:43:45: 3c80 1 http: Closing connection 0

08/16/19 16:43:45: 3c80 1 http: schannel: shutting down SSL/TLS connection with dev-prod05.conferdeploy.net port 443

08/16/19 16:43:45: 3c80 1 http: schannel: clear security context handle

08/16/19 16:43:45: 3c80 3 CurlWrapper::ProcessResult: handle id: CRegister::Register, libcurl err SSL connect error (35)
08/16/19 16:43:45: 3c80 2 CRegister::SendRetryRegisterMessage: (no network) was unable to connect
08/16/19 16:43:45: 3c80 3 CDeviceRegistration::Register: ERROR: There seems to be a problem connecting to Confer. Please try registering again later.
08/16/19 16:43:45: 3c80 1 install_utils::Register failed: There seems to be a problem connecting to Confer. Please try registering again later.

2 Likes
23

The other issue we had on the firewall was that the firewall did not support the use of URLS, so we had to add IP addresses for the “dev-prod05.conferdeploy.net”. This is really annoying because it is in the AWS and there are a ton of entries that it can possibly be. Just try a nslookup from a few different systems :slight_smile:

1 Like
24

So, I wanted to reply so that anyone else having similar issues with the product knows to check the FW and update the rules according to the latest documentation from Carbon Black. Worked and got everything including the godaddy sites listed and as of this morning I am able to install both sensors with ease! Thank you to everyone that contributed!!

1 Like
25

hello! I am currently experiencing this same issue in my environment and wanted to see if you could provide the final install script you used to get this to work? When deploying I receive error code 49 in the event viewer:

The description for Event ID 49 from source CbDefense cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

CbDefense
CARegisterSensor: Failed to register: We couldn’t connect to the cloud due to a network issue. Please check firewall and proxy configurations and try again later.

26

Sounds like there is a network block either from the endpoint or firewall. That said, my install was simply

prefetch installer_vista_win7_win8-64-3.7.0.1411.msi sha1:fe7529e17f49363beb68c78172f9d286bf835f29 size:49676288 http://SAWSBIGFIX01.sefcu.com:52311/Uploads/installer_vista_win7_win8-64-3.7.0.1411.msi
waithidden msiexec.exe /q /i __Download\installer_vista_win7_win8-64-3.7.0.1411.msi /L* log.txt COMPANY_CODE=“GENERICCOMPANYCODE”

Carbon Black does keep a list that is updated fairly frequently that shows the sites that should be whitelisted on the network end. Ill link if I can dig it up again.