Environment
- Carbon Black Cloud Console: All Versions
- Carbon Black Cloud Sensor: All Versions
- Microsoft Windows: All Versions
- Apple MacOS: All Versions
Question
What affect does enabling Sensor Bypass (Endpoints > Select Sensor > Take Action > Enable Bypass) have on Sensor activity?
Answer
Protection and Monitor Status
- Policy Rules are not enforced so the Sensor is not actively protecting the device.
- The Sensor will not send any new data to the Carbon Black Cloud console while it is in Bypass.
Remote Investigation
- All device activity prior to Bypass being enabled will still be available on the Investigate Page in the Console.
- Administrators can continue investigating a device from the PSC Console (Investigate Page, Live Response, Live Query, etc..) .
- VMware Carbon Black Support will still be able to to pull sensor logs from the device while in quarantined mode
Local Sensor Activity
- All Sensor services (cbdefense and cbdefenseWSC) will continue to run.
- The Sensor still locally logs system information, such as CPU and memory use.
- The Sensor maintains the local databases by removing stale records and removing files that have been deleted.
- The Sensor still checks in to confirm configuration, policy rules, and requested sensor actions.
- Signature updates for local scanner still occur
- Repmgr is still running, it checks the reputations of any interesting files accessed.
- This activity is recorded and stored locally though not uploaded to the Console
Related Content