KB45142 - Internet Check during HC for EDR products is removed to prevent false-positive scenarios.

This article explains why Internet Check during HC for EDR products is removed. 

Several of the AV solutions these days perform something called EDR checks which are essentially real-time checks (that need internet) to ensure that several aspects of security are met.

Please refer to https://www.crowdstrike.com/cybersecurity-101/endpoint-security/endpoint-detection-and-response-edr/ or similar products for more details on how EDRs work. 

During Host checks, whenever there is an EDR product involved, an internet check is performed by pinging general websites, and only if there is a ping response along with other configured policies succeeding, the HC will succeed and move to the next phase of the connection.

Due to several reasons, this general internet check can sometimes cause false positives for some or all users as listed below (But not limited to).

1.    ICMP is blocked on the end-points.
2.    Public firewall profile may not allow ICMP.
3.    Slow Internet connection can delay or result in ping failure causing connection issues.
4.    The period HC may fail as ICMP may not be allowed once the VPN connection is established (Firewall Profile).
5.    Public Websites may not be allowed via Full tunnels during Period Check.

Also, an Internet connection is a must for a VPN connection. 

In order to overcome all these false positives, we have removed this internet check dependency for Host checks on PCS/PPS/PDC products from 9.1R15 (Tentative for the 3rd week of April) and ESAP 3.9.9 (Tentative for the 4th week of April).

Note – 

1.    Both ESAP and Pulse products need to be updated for the solution to be effective. 
2.    It is presumed that admins allow access to various EDR sites on the endpoints to ensure that they get regular updates.
3.    EDR Sites are specific to AV vendors and got nothing to do with OPSWAT or Ivanti.