Certificate swapping on an endpoint running the Windows sensor requires that the sensor is able to update the system hosts
file.
The hosts
file is a text file that maps IP addresses to hostnames. The file is located at: C:\Windows\System32\drivers\etc\hosts.
To confirm that the hosts
file can be updated successfully:
Check AV Exceptions -- The Carbon Black EDR sensor service must be allowed to open and edit the
hosts
file. By default, it has that permission since it is running as administrator. However, other security products (typically anti-virus products or other monitoring tools) must not block the Carbon Black EDR sensor from accessing the file. If necessary, add exclusions to other security products to allow the Carbon Black EDR Windows sensor to access thehosts
file. Failure to do so can result in loss of communications between sensors and server.Save the File in ASCII (Windows Sensor 6.2.3 and 6.2.4) -- For Windows sensor releases through version 6.2.4, the
hosts
file is assumed to be in ASCII encoding. If the sensor modifies an instance of the file that was saved with non-standard encoding, the file can become unreadable.If it has been saved in a different format, resave the file in ASCII. For example, in the Windows Notepad application, click Save As… and then select ANSI as the encoding.
See the post-6.2.4 sensor release notes to determine whether this requirement still applies.