CB Response: AV Blocking Attempt by cb.exe to Modify the hosts File
book
Article ID: 288036
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
AV Blocking attempt by cb.exe to modify the hosts File
Environment
Carbon Black Response Sensor: 6.2.3 and above
Microsoft Windows: All Supported Versions
Cause
CB Response uses Server Name Indication (SNI) to achieve seamless certificate swapping. On the endpoint side, the CB Response Windows sensor needs to update the machine’s hosts file to achieve this. It is located at C:\Windows\System32\drivers\etc\hosts, and is a text file that maps IP addresses to hostnames.
Resolution
AV exclusions must be in place to ignore the sensor from accessing this file to avoid loss of communication
You may need to additional exclusions to ingore this depending on the AV you are using, please consult your administrator
Additional Information
The CB Response sensor service must be allowed to open and edit this file. By default, it has that permission since it is running as administrator. However, this also means that other security products (typically AVs or other monitoring tools) must not block the CB Response sensor from accessing this file. Proper exclusions into other security products / AVs may need to be put in place to allow CB Response Windows to access this file. Failure to do so may result in loss of communications between sensors and server.
The hosts file (C:\Windows\System32\drivers\etc\hosts) is assumed to be a plain ASCII text file by CB Response Windows sensor v6.2.3. Please ensure that the file is properly saved in ASCII if it has been edited in another editor / tool. (In notepad.exe, choose “Save As…” and select “ANSI” as the encoding.)