Issue
The Carbon Black EDR Sensor overwrites the Windows Hosts file with <CR> (Carriage Return and/or Newline whitespace).
Environment
VMware Carbon Black EDR (Response)
Resolution
If you need to have custom entries in your Windows Hosts file, you will need to enter those changes in C:\Windows\CarbonBlack\hosts.net so they get published to the local Windows Hosts file (C:\Windows\System32\drivers\etc\hosts).
Cause
Starting from Carbon Black EDR Sensor version 6.2.4+, Carbon Black introduced a custom certificate function. In order to make the custom certificate function work the sensor copies the local Hosts file to C:\Windows\CarbonBlack\hosts.backup and then modifies it by adding <CR> (Carriage Returns), and also makes a copy of the changes to C:\Windows\CarbonBlack\hosts.new.
Every time the sensor restarts, it reverts the Hosts file to C:\Windows\CarbonBlack\hosts.new.
Here is the Carbon Black help article that describes this functionality: https://community.carbonblack.com/t5/Knowledge-Base/EDR-Why-does-Response-Sensor-Modify-Hosts-file/ta-p/88033
Comments
0 comments
Please sign in to leave a comment.