Environment
- EDR Sensor: All Versions
- Microsoft Windows: All Supported Versions
- Linux: All Supported Versions
- Apple MacOS: All Supported Versions
Question
- Which EDR Sensor directories should you exclude from 3rd party security software scans?
Answer
Recommended folders and processes to exclude from 3rd party security product:
| Operating System | Sensor Version | Path and Process |
| Windows | 7.1.0 and Higher |
- %WINDIR%\CarbonBlack\*
- %WINDIR%\CarbonBlack\cb.exe
- C:\Program Files\CarbonBlack\CbEDRAMSI.dll
- C:\Program Files (x86)\CarbonBlack\CbEDRAMSI.dll
|
| Windows | 7.0.1 and Lower |
- %WINDIR%\CarbonBlack\*
- %WINDIR%\CarbonBlack\cb.exe
|
| macOS/OS X | 6.2.7 and Lower |
- /var/lib/cb/*
- /Applications/CarbonBlack/CbOsxSensorService
- /Applications/CarbonBlack/CbDigitalSignatureHelper
- /System/Library/Extensions/CbOsxSensorNetmon.kext
- /System/Library/Extensions/CbOsxSensorProcmon.kext
|
macOS/OS X
|
- 6.3.0 and Higher
- Pre-BigSur/10.x
|
- /var/lib/cb/*
- /Applications/VMware Carbon Black EDR.app/Contents/MacOS/CbOsxSensorService
- /Applications/VMware Carbon Black EDR.app/Contents/XPCServices/CbDigitalSignatureHelper.xpc
- /System/Library/Extensions/CbOsxSensorNetmon.kext
- /System/Library/Extensions/CbOsxSensorProcmon.kext
|
| macOS/OS X |
- 6.3.0 and Higher
- BigSur/11.x
|
- /Applications/VMware Carbon Black EDR.app/Contents/XPCServices/CbDigitalSignatureHelper.xpc/Contents/MacOS/CbDigitalSignatureHelper
- /Applications/VMware Carbon Black EDR.app/Contents/MacOS/CbOsxSensorService
- /var/lib/cb/*
- /Library/SystemExtensions/<GUID>/com.carbonblack.es-loader.es-extension.systemextension/Contents/MacOS/com.carbonblack.es-loader.es-extension
|
| Linux | 6.2.0 and Lower |
- /var/lib/cb/*
- /etc/init.d/cbdaemon
- /etc/rc*/*cbdaemon
- /usr/sbin/cbdaemon
- /etc/sysconfig/modules/cbresponse.modules
|
| Linux | 6.2.1 and Higher |
- /var/opt/carbonblack/response/*
- /etc/init.d/cbdaemon
- /usr/sbin/cbdaemon
- /opt/carbonblack/response/*
- /etc/sysconfig/modules/cbresponse.modules
|
Additional Notes
- The EDR Sensor performs reads and writes to the sensor's installation root directories. With security products continually scanning the directory contents, these exclusions will help eliminate interoperability that can cause performance issue and ensure proper coexistence.
- Some vendors require a trailing asterisk (*) when entering exclusions. Sub-folders should be included in the exclusion. Please refer to the vendor's documentation.
- Windows Defender is enabled by default on Windows machines and also requires these exclusions.
- If you are utilizing a custom Sensor Process Name add the customized process name to the security application exclusions list.
- Please review vendor documentation for exclusions implementation steps.
- For McAfee EPO you may also need to exclude c:\windows\carbonblack\cb.exe from its "Prevent creation of new executable files in the Windows folder" option
Related Content
