Cb Response: False Positive Alerts on 127.0.0.1 Linking to Bad Domains
Article ID: 289949
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Getting false positive alerts on netconn to 127.0.0.1 but domain shows a bad domain.
Environment
- Cb Response Server: All versions
Cause
This could happen when customer edits DNS server to loopback bad domains to 127.0.0.1.
Resolution
- If process A calls baddomain.com and causes a record of baddomain.com 127.0.0.1 stored in DNS cache. And later if process B calls 127.0.0.1, sensor looks at DNS cache and then links this netconn event to baddomain.com. A false positive alert would trigger on process B.
- A possible workaround is to loopback bad domain to another IP address, which is not used frequently.
Additional Information
- Sensor only uses the WinDNS service (the operating systems DNS cache) on the windows agent to do the lookup. It doesn't have its own cache. It avoids hosts file or any broadcast or wire traffic (ie. nslookup).
- DNS cache doesn't ever flush, unless explicitly tell it to or make a DNS/networking related configuration change. DNS records have a Time To Live (TTL) value associated with them which tells a DNS cache how long the particular record is good for. Records in the cache are kept for their TTL, then re-queried.
Feedback
Yes
No
Powered by
