EDR: Why is the hosts file being modified when using legacy certificates?
book
Article ID: 288582
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)Carbon Black Hosted EDR (formerly Cb Response Cloud)
Issue/Introduction
cb.exe is modifying the C:\Windows\System32\drivers\etc\hosts file
This is true regardless of legacy or custom certificates being used
Environment
EDR Windows sensor: 7.4.1
Microsoft Windows: All Supported Versions
Resolution
With the IPV6 support added with the 7.4 EDR Windows sensor release, the sensor will now modify the hosts file whether custom or legacy certificates are used.
Additional Information
If this should change, customer feedback is needed. Please submit this change request via Voice of the Customer