Cb Response: False Positive Alerts on Linking to Bad Domains
search cancel

Cb Response: False Positive Alerts on Linking to Bad Domains


Article ID: 289949


Updated On:


Carbon Black EDR (formerly Cb Response)


Getting false positive alerts on netconn to but domain shows a bad domain. 


  • Cb Response Server: All versions


This could happen when customer edits DNS server to loopback bad domains to


  • If process A calls baddomain.com and causes a record of baddomain.com stored in DNS cache. And later if process B calls, sensor looks at DNS cache and then links this netconn event to baddomain.com. A false positive alert would trigger on process B.
  • A possible workaround is to loopback bad domain to another IP address, which is not used frequently.

Additional Information

  • Sensor only uses the WinDNS service (the operating systems DNS cache) on the windows agent to do the lookup. It doesn't have its own cache. It avoids hosts file or any broadcast or wire traffic (ie. nslookup).
  • DNS cache doesn't ever flush, unless explicitly tell it to or make a DNS/networking related configuration change. DNS records have a Time To Live (TTL) value associated with them which tells a DNS cache how long the particular record is good for. Records in the cache are kept for their TTL, then re-queried.