logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

EDR: Is the cb.exe process supposed to update the hosts file on a Windows OS endpoint?

EDR: Is the cb.exe process supposed to update the hosts file on a Windows OS endpoint?

Environment

  • EDR Windows Sensor: Version 6.2.4 and higher

Question

Is the cb.exe process supposed to update the hosts file on a Windows OS endpoint?

Answer

Yes, when custom certificates are associated with the sensor's group. The cb.exe process has the rights and ability to update the C:\Windows\System32\Drivers\etc\hosts file by default.   The two SANs (Subject Alternative Names) from the custom certificate are needed in the Windows hosts file which are used as the SNI (Server Name Indicator) in the TLS sensor-to-server communications.

Example of hosts file with legacy certificates (hosts file is not changed):
This is a article attached imageThis is a article attached image

Example of hosts file using custom certificates:
This is a article attached imageThis is a article attached image
On a standalone EDR server using custom certificates, the IP addresses match that of the Primary server.

Custom certificate's SANs section:
This is a article attached imageThis is a article attached image

Additional Notes

  • If an EDR sensor group uses custom certificates, the EDR Windows sensor modifies C:\Windows\System32\Drivers\etc\hosts file to include the SAN information.  Therefore, the host file can be modified during a sensor install, upgrade, uninstall, start the sensor service or modifications to the group's custom certification.
  • When Cb sensor modifies the Windows hosts file, the sensor backups up the current host file in C:\Windows\CarbonBlack\hosts.backup.  In the same directory, a hosts.new file is created which is comprised of the current host file plus the two custom certificate SAN entries.
  • If custom certificates are used in the sensor's group, then the Cb sensor adds 2 changes to the hosts file a) the first custom cert's SAN name associated with the Primary Server's IP address and b) the second SAN name associated with the sensor's dedicated Minion's IP address (based on Sensor ID/# of minions).
  • If non-EDR updates are made to the hosts file, the EDR server recognizes the change and updates the host.backup file.  This should only occur when the sensor is stopped or restarted.  At that time, the sensor confirms the EDR lines remain intact and creates an updated hosts.new file.
  • Originally if legacy certificates were used in the sensor's group, the hosts file was not modified. As of the 7.4.1 EDR Windows sensors, the hosts file will be modified whether custom or legacy certificates are used.

Related Content


Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎09-09-2020
Views:
1578
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.