Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Environment

Carbon Black Console: April 2022 Release (0.77.x) and Higher
Carbon Black Cloud Windows Sensor: 3.6.x.x and Higher
Microsoft Windows: All Supported Versions

Objective

Provide steps for disabling individual Core Prevention rule-sets

Resolution

Go to Enforce > Policies > Prevention Tab
Expand Section “Core Prevention”

Click desired Core Prevention name

Advanced Scripting Prevention (Windows AMSI)
Emerging Threats
Credential Theft
Privilege Escalation
Ransomware

Toggle blocking as desired

"Alert only" OR "Block and Alert" Recommended

Additional Notes

The primary recommendation when a Core Prevention rule is causing a block is to create a Core Prevention exclusion, rather than disabling blocking.

Related Content

Endpoint Standard: How to Configure Exclusions for Core Prevention Rules
Endpoint Standard: What Is The Difference Between Allow, Allow & Log and Bypass?
Carbon Black Cloud: What are the differences between API Bypass and Full Bypass
CB Defense: What Happens With An API Bypass Rule and Additional Operation Attemps Are Added For The ...

Article Information

Author:

Creation Date:

‎10-05-2023

Views:

418

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.