Knowledge Base

Yes

Environment

Set up exclusions for an AV product in the Carbon Black Cloud Console

Log in to the Carbon Black Cloud Console
Go to Enforce > Policies
Select the desired Policy and click on the Prevention tab (See NOTE, in additional Notes Section)
Click plus sign (+) next to "Permissions" section (If this section has already been expanded you will not see the + sign, until the - sign has been clicked and the section collapses)
Click "Add application path" in "Permissions" section
Enter the recommended file/folder exclusions from the appropriate security vendor
```
Example Exclusion:
*:\Program Files\McAfee\**
```
Check "Bypass" option box for "Performs Any Operation"
Click "Confirm"

Always carefully consider risks and benefits of setting up a permission rule for any application.
Search online for the recommendations from the vendor of the 3rd party software in relation to scanning AV (the closest thing to NGAV currently being called out)
Endpoint Standard sensor may interfere with an AV product installed on the same system. According to different policy rules, the Endpoint Standard sensor may prevent AV from taking actions to files or system.
- For example, if a "known malware" blocking policy rule exists in device group, the Endpoint Standard sensor may block an AV product from accessing malicious files per that policy rule. This may prevent AV from being able to scan or quarantine malicious files.
- This kind of interference is not an interoperability issue with an AV product, but a normal policy action with Endpoint Standard working as designed. In order to prevent this kind of interference, permissions need to be set up for respective AV folders/executables following the steps above
Refer to Endpoint Standard: How to Create Policy Blocking & Isolation and Permissions Exclusions for more information on permissions settings, correct syntax, etc.
NOTE: If no permissions or other Settings are visible, you have an EEDR Only Org and this article does not apply, as no exclusions can be created