Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: How to Set up Exclusions in the Carbon Black Cloud Console for AV Products

Carbon Black Cloud: How to Set up Exclusions in the Carbon Black Cloud Console for AV Products

Environment

  • Carbon Black Cloud Console: All Versions
  • Endpoint Standard (Formerly CB Defense)

Objective

Set up exclusions for an AV product in the Carbon Black Cloud Console

Resolution

  1. Log in to the Carbon Black Cloud Console
  2. Go to Enforce > Policies
  3. Select the desired Policy and click on the Prevention tab (See NOTE, in additional Notes Section)
  4. Click plus sign (+) next to "Permissions" section (If this section has already been expanded you will not see the + sign, until the - sign has been clicked and the section collapses)
  5. Click "Add application path" in "Permissions" section
  6. Enter the recommended file/folder exclusions from the appropriate security vendor
    Example Exclusion:
    *:\Program Files\McAfee\**
  7. Check "Bypass" option box for "Performs Any Operation"
  8. Click "Confirm"

Additional Notes

  • Always carefully consider risks and benefits of setting up a permission rule for any application.
  • Search online for the recommendations from the vendor of the 3rd party software in relation to scanning AV (the closest thing to NGAV currently being called out)
  • Endpoint Standard sensor may interfere with an AV product installed on the same system. According to different policy rules, the Endpoint Standard sensor may prevent AV from taking actions to files or system.
    • For example, if a "known malware" blocking policy rule exists in device group, the Endpoint Standard sensor may block an AV product from accessing malicious files per that policy rule. This may prevent AV from being able to scan or quarantine malicious files.
    • This kind of interference is not an interoperability issue with an AV product, but a normal policy action with Endpoint Standard working as designed. In order to prevent this kind of interference, permissions need to be set up for respective AV folders/executables following the steps above
  • Refer to Endpoint Standard: How to Create Policy Blocking & Isolation and Permissions Exclusions for more information on permissions settings, correct syntax, etc.
  • NOTE: If no permissions or other Settings are visible, you have an EEDR Only Org and this article does not apply, as no exclusions can be created

Related Content


Was this article helpful? Yes No
67% helpful (4/6)
Article Information
Author:
Creation Date:
‎09-18-2018
Views:
58594
Contributors