Jump to content
GLFI1969

KES 11.1 and WatchGuard TDR

Recommended Posts

hello, i have a connection issue on PCs with KES11.1 installed and WatchGuard TDR agent.

The cause is the scan of the encrypted connections option.

If i disable this feature or Web Controll, the TDR agent connects after a few seconds.

I have checked all the exclusions suggested by WatchGuard and I have inserted in the Trusted Domains and Web Control exceptions everything possible but without results.

i have tried also adding the IP addresses as you can see in the logs but nothing.

i can not see any block event in the device events on KSC.

With these event options, shoud i see site or connections blocke by Web Control?

image.png.06a634d75b2a239eca3b1a79bf02e561.png

Here some TDR logs:

2019-03-25 11:41:31.703 [Error] [thread:4560] [Communications] Failed to connect to Controller 52.29.89.76:443 - SSL connection unexpectedly closed
2019-03-25 11:41:31.721 [Error] [thread:4560] [Communications] Failed to connect to any Controller in known list
2019-03-25 11:42:06.196 [Error] [thread:4528] [Communications] Failed to connect to Controller 18.197.116.222:443 - SSL connection unexpectedly closed
2019-03-25 11:42:06.220 [Error] [thread:4528] [Communications] Failed to connect to any Controller in known list
2019-03-25 11:42:35.892 [Error] [thread:4544] [Communications] Failed to connect to Controller 18.197.116.222:443 - SSL connection unexpectedly closed
2019-03-25 11:42:35.919 [Error] [thread:4544] [Communications] Failed to connect to any Controller in known list
2019-03-25 11:43:10.511 [Error] [thread:4556] [Communications] Failed to connect to Controller 18.197.116.222:443 - SSL connection unexpectedly closed
2019-03-25 11:43:10.533 [Error] [thread:4556] [Communications] Failed to connect to any Controller in known list
2019-03-25 11:43:46.808 [Error] [thread:4268] [PEUtilities] CryptQueryObject failed with 2148081673
2019-03-25 11:43:46.809 [Error] [thread:4316] [PEUtilities] CryptQueryObject failed with 2148081673
2019-03-25 11:43:46.882 [Information] [thread:4268] [ProcessEventListener] Process created: pid=11072 name=SearchFilterHost.exe image=c:\Windows\System32\searchfilterhost.exe fallback=N
2019-03-25 11:43:46.951 [Information] [thread:4316] [ProcessEventListener] Process created: pid=5596 name=SearchProtocolHost.exe image=c:\Windows\System32\searchprotocolhost.exe fallback=N
2019-03-25 11:43:48.628 [Error] [thread:4556] [Communications] Failed to connect to Controller 18.197.116.222:443 - SSL connection unexpectedly closed
2019-03-25 11:43:48.638 [Error] [thread:4556] [Communications] Failed to connect to any Controller in known list
2019-03-25 11:44:22.825 [Error] [thread:4592] [Communications] Failed to connect to Controller 52.29.89.76:443 - SSL connection unexpectedly closed
2019-03-25 11:44:22.847 [Error] [thread:4592] [Communications] Failed to connect to any Controller in known list
2019-03-25 11:44:57.538 [Error] [thread:4548] [Communications] Failed to connect to Controller 52.29.89.76:443 - SSL connection unexpectedly closed
2019-03-25 11:44:57.561 [Error] [thread:4548] [Communications] Failed to connect to any Controller in known list
2019-03-25 11:45:08.419 [Information] [thread:4444] [ProcessEventListener] Process created: pid=6164 name=backgroundTaskHost.exe image=c:\Windows\System32\backgroundtaskhost.exe fallback=N
2019-03-25 11:45:08.436 [Error] [thread:4508] [BehaviorPreventorProcessEvents] OpenProcess failed for getUserNameForProcess, pid: 1880code: 5
2019-03-25 11:45:08.439 [Information] [thread:4480] [ProcessEventListener] Process created: pid=1880 name=svchost.exe image=C:\Windows\System32\svchost.exe fallback=Y
2019-03-25 11:45:08.530 [Information] [thread:4308] [ProcessEventListener] Process created: pid=12084 name=RuntimeBroker.exe image=c:\Windows\System32\runtimebroker.exe fallback=N
2019-03-25 11:45:14.410 [Information] [thread:4292] [ProcessEventListener] Process created: pid=12136 name=svchost.exe image=c:\Windows\System32\svchost.exe fallback=N
2019-03-25 11:45:20.999 [Error] [thread:4488] [PEUtilities] CryptQueryObject failed with 2148081673

Share this post


Link to post

Hello!

Please try to add the TDR agent itself to the trusted applications with the option do not scan traffic. 

Thanks!

Share this post


Link to post

I already did.

When i insert a rule in Web Control, in addition to the default one, even the blocking of a single site, the TDR no longer connects.

image.png.cec284c861731db67b0e5b484650921b.png

image.png.c9743886c9f02a75b97882d36df24d6c.png

Share this post


Link to post

with this rule added to the default rule: TDR does not connect.

Just add a policy that blocks something and TDR stops connecting.

image.png.2eb8ce3fe4787f5ed0e050914f1e3292.png

 

Web Control on with default rule: TDR connects.

image.png.bc57817aaf5d7669b6626c46199648db.png

Share this post


Link to post

Would you please provide the screenshot of the trusted apps in the exclusions span of the policy? 

Thanks!

Share this post


Link to post
16 hours ago, Ivan.Ponomarev said:

Would you please provide the screenshot of the trusted apps in the exclusions span of the policy? 

Thanks!

Do tou mean these?

image.png.d7f843d3f90afad66ed7525762489028.png

image.png.1929324800ab47187ac41baaa80cd10e.png

Share this post


Link to post
Posted (edited)
15 minutes ago, Ivan.Ponomarev said:

Hello!

Yes. Could you please provide the full screenshot or the policy? 

Thanks!

FULL!

image.png.79b397c848de0302e6ab7aa6c3fc1873.png

 

image.png

Edited by GLFI1969

Share this post


Link to post

If the issue get resolved tell on here, we are not having the issue but we might be interested, cheers.

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.