AV Blocking attempt by cb.exe to modify the hosts File

• Carbon Black Sensor: All Supported Versions
• Microsoft Windows: All Supported Versions

• EDR uses Server Name Indication (SNI) to achieve seamless certificate swapping.
• On the endpoint side, the sensor needs to update the machine’s hosts file to achieve this.
• It is located at C:\Windows\System32\drivers\etc\hosts, and is a text file that maps IP addresses to hostnames.

AV exclusions must be in place to ignore the sensor from accessing this file to avoid loss of communication

• Which Sensor directories need exclusion from 3rd party anti-virus scans?
• Additional exclusions may be needed to ignore this depending on the AV in use, please consult the administrator

• The sensor service must be allowed to open and edit this file. By default, it has that permission since it is running as administrator. However, this also means that other security products (typically AVs or other monitoring tools) must not block the sensor from accessing this file. Proper exclusions into other security products / AVs may need to be put in place to allow the EDR Windows Sensor to access this file. Failure to do so may result in loss of communications between sensors and server.
• The hosts file (C:\Windows\System32\drivers\etc\hosts) is assumed to be a plain ASCII text file by the EDR Windows sensor. Please ensure that the file is properly saved in ASCII if it has been edited in another editor / tool. (In notepad.exe, choose “Save As…” and select “ANSI” as the encoding.)