Environment
- EDR Windows Sensor: 6.2.4 and higher
Question
Why does the Windows sensor modify the C:\Windows\System32\drivers\etc\hosts file?
Answer
When EDR introduced the Sensor Group custom certificate function, the sensor needed to modify the Windows hosts file to include the custom certificate's SANs (Subject Alternative Names). The two SANs from the custom certificate are added to the Windows host file in order to provide the SNI (Server Name Indicator) in the TLS communications.
This is a article attached image
Custom certificate's SANs section:
This is a article attached image
Additional Notes
- When the Cb sensor modifies the Windows hosts file, the sensor backups up the current hosts file in C:\Windows\CarbonBlack\hosts.backup. In the same directory, a hosts.new file is created which is comprised of the current Windows host file plus the two custom certificate SAN entries.
- When custom certificates are used in the sensor's group, the Cb sensor adds two changes to the hosts file a) the first custom cert's SAN name is associated with the Primary Server's IP address and b) the second SAN name is associated with the sensor's dedicated Minion's IP address (based on Sensor ID/# of minions). If the EDR server is standalone, the the second SAN name is associated with the Primary IP address.
- If non-EDR modifications are made to the C:\Windows\System32\drivers\etc\hosts file, EDR Windows sensor recognizes the changes and updates the C:\Windows\CarbonBlack\hosts.backup file upon the next sensor stop or restart. The sensor also ensures the EDR modifications remain intact in the hosts file and updates C:\Windows\CarbonBlack\hosts.new file.
- Originally if legacy certificates were used in the sensor's group, the hosts file was not modified. As of the 7.4.1 EDR Windows sensor release, the hosts file will be modified whether custom or legacy certificates are used.
Related Content