CB Response: AV Blocking Attempt by cb.exe to Modify the hosts File
search cancel

CB Response: AV Blocking Attempt by cb.exe to Modify the hosts File


Article ID: 288036


Updated On:


Carbon Black EDR (formerly Cb Response)


AV Blocking attempt by cb.exe to modify the hosts File


  • Carbon Black Response Sensor: 6.2.3 and above
  • Microsoft Windows: All Supported Versions


CB Response uses Server Name Indication (SNI) to achieve seamless certificate swapping. On the endpoint side, the CB Response Windows sensor needs to update the machine’s hosts file to achieve this. It is located at C:\Windows\System32\drivers\etc\hosts, and is a text file that maps IP addresses to hostnames.


AV exclusions must be in place to ignore the sensor from accessing this file to avoid loss of communication

Additional Information

  • The CB Response sensor service must be allowed to open and edit this file. By default, it has that permission since it is running as administrator. However, this also means that other security products (typically AVs or other monitoring tools) must not block the CB Response sensor from accessing this file. Proper exclusions into other security products / AVs may need to be put in place to allow CB Response Windows to access this file. Failure to do so may result in loss of communications between sensors and server.
  • The hosts file (C:\Windows\System32\drivers\etc\hosts) is assumed to be a plain ASCII text file by CB Response Windows sensor v6.2.3. Please ensure that the file is properly saved in ASCII if it has been edited in another editor / tool. (In notepad.exe, choose “Save As…” and select “ANSI” as the encoding.)