logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

EDR: Why does the Windows Sensor Modify Hosts file?

EDR: Why does the Windows Sensor Modify Hosts file?

Environment

  • EDR Windows Sensor:  6.2.4 and higher

Question

Why does the Windows sensor modify the C:\Windows\System32\drivers\etc\hosts file?


Answer

When EDR introduced the Sensor Group custom certificate function, the sensor needed to modify the Windows hosts file to include the custom certificate's SANs (Subject Alternative Names).  The two SANs from the custom certificate are added to the Windows host file in order to provide the SNI (Server Name Indicator) in the TLS communications.
This is a article attached imageThis is a article attached image

Custom certificate's SANs section:
This is a article attached imageThis is a article attached image

Additional Notes

  • When the Cb sensor modifies the Windows hosts file, the sensor backups up the current hosts file in C:\Windows\CarbonBlack\hosts.backup.  In the same directory, a hosts.new file is created which is comprised of the current Windows host file plus the two custom certificate SAN entries.
  • When custom certificates are used in the sensor's group, the Cb sensor adds two changes to the hosts file a) the first custom cert's SAN name is associated with the Primary Server's IP address and b) the second SAN name is associated with the sensor's dedicated Minion's IP address (based on Sensor ID/# of minions).  If the EDR server is standalone, the the second SAN name is associated with the Primary IP address.
  • If non-EDR modifications are made to the C:\Windows\System32\drivers\etc\hosts file, EDR Windows sensor recognizes the changes and updates the  C:\Windows\CarbonBlack\hosts.backup file upon the next sensor stop or restart.   The sensor also ensures the EDR modifications remain intact in the hosts file and updates C:\Windows\CarbonBlack\hosts.new file.
  • Originally if legacy certificates were used in the sensor's group, the hosts file was not modified. As of the 7.4.1 EDR Windows sensor release, the hosts file will be modified whether custom or legacy certificates are used.

Related Content


Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
50% helpful (1/2)
Article Information
Author:
CB_Support
Creation Date:
‎09-09-2020
Views:
2435
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.