cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Threat Prevention is making HTTP requests using an IP Address for cloud.gti.mcafee.com

In this article here, it shows that Threat Prevention is the module that would be making requests to this domain. https://kc.mcafee.com/corporate/index?page=content&id=KB93324

All the endpoints in my environment are making HTTP requests with the IP address, rather then the domain name for cloud.gti.mcafee.com. At the time of this post, we are seeing 10's of thousands of http requests every day to https://3.221.83.69/ and https://3.218.82.178/. When cloud.gti.mcafee.com starts resolving to different IP addresses, I expect to see HTTP requests continuing to go to these IP addresses for a few days after it has changed.

We believe this is a problem because those IP addresses are the ones creating a lot of up open connections on the firewall whenever the IP addresses for cloud.gti.mcafee.com change. My theory is that there is some sort of caching mechanism going on. If it attempts to make an HTTP request using the domain, which is obviously failing, it then falls back to making HTTP requests with the IP address. It must attempt to use a cached fallback IP address for a few days, even after the IP address for cloud.gti.mcafee.com changes.

Why is it failing? I assume it has something to do with the fact that its the one of the domains that McAfee has decided to try and prevent MITM attacks by using a self signed certificate with a root authority that isn't trusted. We don't seem to have this problem with domains that has a proper ssl certificate. Yes, we are using McAfee Web Gateway, but we don't do SSL inspection.

My GTI_error.log is filled with these errors:

[E] [0x3730] HttpRequest::Send: HttpRequest::Send WinHttpSendRequest result ERROR_WINHTTP_TIMEOUT 12002
[E] [0x3730] HttpRequest::ValidateServerCert: Unable to get certificate context from request. Error: ERROR_WINHTTP_INCORRECT_HANDLE_STATE
[E] [0x3730] HttpRequest::AcceptResponse: HttpRequest::AcceptResponse WinHttpReceiveResponse result ERROR_WINHTTP_INCORRECT_HANDLE_STATE 12019

 

Is anyone else seeing this issue?

 

EDIT: I also see that tunnel.web.trustedsource.org resolves to those IP addresses as well, but I see my machine making dns lookups for cloud.gti.mcafee.com but has never made an http request using that domain name.

2 Replies
yaz
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: Threat Prevention is making HTTP requests using an IP Address for cloud.gti.mcafee.com

Hi @BadRequests 

Thank you for reaching out to community.

Can you kindly log an SR for this issue along with MER logs so that we can have this checked internally and see if this is a defect or any changes in the functionality?

We look forward to hear from you.

 

Re: Threat Prevention is making HTTP requests using an IP Address for cloud.gti.mcafee.com

Was there a solution to this issue? My errors are similar

06/07/21 16:04:09 [E] [0x292c] HttpRequest::Send: HttpRequest::Send WinHttpSendRequest result ERROR_WINHTTP_TIMEOUT 12002
06/07/21 16:04:09 [E] [0x292c] HttpRequest::ValidateServerCert: Unable to parse certificate data from connection: ERROR_WINHTTP_INCORRECT_HANDLE_STATE
06/07/21 16:04:09 [E] [0x292c] HttpRequest::AcceptResponse: HttpRequest::AcceptResponse WinHttpReceiveResponse result ERROR_WINHTTP_INCORRECT_HANDLE_STATE 12019

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community