EDR: Is the cb.exe process supposed to update the hosts file on a Windows OS endpoint?
search cancel

EDR: Is the cb.exe process supposed to update the hosts file on a Windows OS endpoint?


Article ID: 286293


Updated On:


Carbon Black EDR (formerly Cb Response)


Is the cb.exe process supposed to update the hosts file on a Windows OS endpoint?


  • EDR Windows Sensor: Version 6.2.4 and higher


Yes, when custom certificates are associated with the sensor's group. The cb.exe process has the rights and ability to update the C:\Windows\System32\Drivers\etc\hosts file by default.   The two SANs (Subject Alternative Names) from the custom certificate are needed in the Windows hosts file which are used as the SNI (Server Name Indicator) in the TLS sensor-to-server communications.

Example of hosts file with legacy certificates (hosts file is not changed):
User-added image

Example of hosts file using custom certificates:
User-added image
On a standalone EDR server using custom certificates, the IP addresses match that of the Primary server.

Custom certificate's SANs section:
User-added image

Additional Information

  • If an EDR sensor group uses custom certificates, the EDR Windows sensor modifies C:\Windows\System32\Drivers\etc\hosts file to include the SAN information.  Therefore, the host file can be modified during a sensor install, upgrade, uninstall, start the sensor service or modifications to the group's custom certification.
  • When Cb sensor modifies the Windows hosts file, the sensor backups up the current host file in C:\Windows\CarbonBlack\hosts.backup.  In the same directory, a hosts.new file is created which is comprised of the current host file plus the two custom certificate SAN entries.
  • If custom certificates are used in the sensor's group, then the Cb sensor adds 2 changes to the hosts file a) the first custom cert's SAN name associated with the Primary Server's IP address and b) the second SAN name associated with the sensor's dedicated Minion's IP address (based on Sensor ID/# of minions).
  • If non-EDR updates are made to the hosts file, the EDR server recognizes the change and updates the host.backup file.  This should only occur when the sensor is stopped or restarted.  At that time, the sensor confirms the EDR lines remain intact and creates an updated hosts.new file.
  • Originally if legacy certificates were used in the sensor's group, the hosts file was not modified. As of the 7.4.1 EDR Windows sensors, the hosts file will be modified whether custom or legacy certificates are used.