Environment
- Carbon Black Cloud Console: All Versions
- Carbon Black Cloud Sensor: 1.0.7.x and higher
- Microsoft Windows: All Supported Versions
- Mac OS: All Supported Versions
Question
What Policy Permissions rule Operations fall under Bypass and API Bypass?
Answer
When adding a Permissions rule to Bypass operations of a given application, there are two choices: “Performs any operation” or “Performs any API operation”
- Performs any operation - the Sensor will bypass policy enforcement for all of the below operations. If interoperability issues persist with API bypass, then this option allows bypass of all network, file, and API operations for the specified application without placing the Sensor itself in full bypass. This type of permissions rule is inherited by child processes, and should be very limited in use.
- Performs any API operation - the Sensor will only bypass Policy enforcement for the operations that fall under the API category. Ideally this option would be used to test first before selecting “Performs any operation” Bypass because it will only bypass API operations for the specified application, but will still allow the Sensor to have visibility into network and file operations.
Policy Operations | Network | File | API |
Communicates over the network | X | | |
Runs or is running | | X | |
Invokes a command interpreter | | X | |
Executes a fileless script | | X | |
Scrapes memory of another process | | | X |
Executes code from memory | | | X |
Injects code or modifies memory of another process | | | X |
Performs ransomware-like behavior:
- modification of hidden files
| | X | |
| | X | |
| | | X |
Additional Notes
- Permissions rules where the Action is Bypass are essentially security holes where there is no visibility into what is being done by the specified application in the specified path
- Best Practice is to keep these paths as specific as possible to avoid making too large of a hole and reducing the overall security posture of the selected Policy and all endpoints in it
- As Permissions rules where 'Performs any operation' are inherited by the process tree of the listed process, it is critical to not to list system processes or files which run many things (winlogon.exe, svchost.exe, etc.)
Related Content