Who Me Too'd this topic

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who Me Too'd this topic

Threat Prevention is making HTTP requests using an IP Address for cloud.gti.mcafee.com

In this article here, it shows that Threat Prevention is the module that would be making requests to this domain. https://kc.mcafee.com/corporate/index?page=content&id=KB93324

All the endpoints in my environment are making HTTP requests with the IP address, rather then the domain name for cloud.gti.mcafee.com. At the time of this post, we are seeing 10's of thousands of http requests every day to https://3.221.83.69/ and https://3.218.82.178/. When cloud.gti.mcafee.com starts resolving to different IP addresses, I expect to see HTTP requests continuing to go to these IP addresses for a few days after it has changed.

We believe this is a problem because those IP addresses are the ones creating a lot of up open connections on the firewall whenever the IP addresses for cloud.gti.mcafee.com change. My theory is that there is some sort of caching mechanism going on. If it attempts to make an HTTP request using the domain, which is obviously failing, it then falls back to making HTTP requests with the IP address. It must attempt to use a cached fallback IP address for a few days, even after the IP address for cloud.gti.mcafee.com changes.

Why is it failing? I assume it has something to do with the fact that its the one of the domains that McAfee has decided to try and prevent MITM attacks by using a self signed certificate with a root authority that isn't trusted. We don't seem to have this problem with domains that has a proper ssl certificate. Yes, we are using McAfee Web Gateway, but we don't do SSL inspection.

My GTI_error.log is filled with these errors:

[E] [0x3730] HttpRequest::Send: HttpRequest::Send WinHttpSendRequest result ERROR_WINHTTP_TIMEOUT 12002
[E] [0x3730] HttpRequest::ValidateServerCert: Unable to get certificate context from request. Error: ERROR_WINHTTP_INCORRECT_HANDLE_STATE
[E] [0x3730] HttpRequest::AcceptResponse: HttpRequest::AcceptResponse WinHttpReceiveResponse result ERROR_WINHTTP_INCORRECT_HANDLE_STATE 12019

 

Is anyone else seeing this issue?

 

EDIT: I also see that tunnel.web.trustedsource.org resolves to those IP addresses as well, but I see my machine making dns lookups for cloud.gti.mcafee.com but has never made an http request using that domain name.

Who Me Too'd this topic

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community