Why does the Windows sensor modify the C:\Windows\System32\drivers\etc\hosts file?

• EDR Windows Sensor:  6.2.4 and higher

• When the Cb sensor modifies the Windows hosts file, the sensor backups up the current hosts file in C:\Windows\CarbonBlack\hosts.backup.  In the same directory, a hosts.new file is created which is comprised of the current Windows host file plus the two custom certificate SAN entries.
• When custom certificates are used in the sensor's group, the Cb sensor adds two changes to the hosts file a) the first custom cert's SAN name is associated with the Primary Server's IP address and b) the second SAN name is associated with the sensor's dedicated Minion's IP address (based on Sensor ID/# of minions).  If the EDR server is standalone, the the second SAN name is associated with the Primary IP address.
• If non-EDR modifications are made to the C:\Windows\System32\drivers\etc\hosts file, EDR Windows sensor recognizes the changes and updates the  C:\Windows\CarbonBlack\hosts.backup file upon the next sensor stop or restart.   The sensor also ensures the EDR modifications remain intact in the hosts file and updates C:\Windows\CarbonBlack\hosts.new file.
• Originally if legacy certificates were used in the sensor's group, the hosts file was not modified. As of the 7.4.1 EDR Windows sensor release, the hosts file will be modified whether custom or legacy certificates are used.