Environment
- Carbon Black Cloud (Formerly PSC) Console: All Versions
Objective
Set up exclusions for an AV product in Carbon Black Cloud Console
Resolution
- Log in to Carbon Black Cloud Console
- Go to Enforce > Policies
- Select the desired Policy and click on the Prevention tab
- Click plus sign (+) next to "Permissions" section
- Click "Add application path" in "Permissions" section
- Enter the recommended file/folder exclusions from the appropriate security vendor
Example Exclusion:
*:\Program Files\McAfee\**
- Check "Bypass" option box for "Performs Any Operation"
- Click "Confirm"
Additional Notes
- Always carefully consider risks and benefits of setting up a permission rule for any application.
- Search online for the recommendations from the vendor of the 3rd party software in relation to scanning AV (the closest thing to NGAV currently being called out)
- Endpoint Standard sensor may interfere with an AV product installed on the same system. According to different policy rules, the Endpoint Standard sensor may prevent AV from taking actions to files or system.
- For example, if a "known malware" blocking policy rule exists in device group, the Endpoint Standard sensor may block an AV product from accessing malicious files per that policy rule. This may prevent AV from being able to scan or quarantine malicious files.
- This kind of interference is not an interoperability issue with an AV product, but a normal policy action with Endpoint Standard working as designed. In order to prevent this kind of interference, permissions need to be set up for respective AV folders/executables following the steps above
- Refer to Endpoint Standard: How to Create Policy Blocking & Isolation and Permissions Exclusions for more information on permissions settings, correct syntax, etc.
Related Content
