logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

CB Defense: What Happens With An API Bypass Rule and Additional Operation Attemps Are Added For The Same Process?

CB Defense: What Happens With An API Bypass Rule and Additional Operation Attemps Are Added For The Same Process?

Environment

  • CB Defense PSC Console: All Versions
  • CB Defense Sensor: All Versions
  • Microsoft Windows: All Supported Versions
  • Apple macOS: All Supported Versions

Question

When configuring an 'Allow', 'Allow & Log', or 'Performs any API operation' > Bypass rule for a process, will the remaining Operation Attempt logging resume if selected?

Answer

When adding a 'Performs any API operation' bypass rule for a process and other rules are desired, the API bypass will take precedence.

Additional Notes

'Performs ransomware-like behavior' is one exception as that is handled by canary file detection.

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
CB_Support
Creation Date:
‎09-09-2020
Views:
742
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.