Carbon Black Cloud: What are the differences between API Bypass and Full Bypass

Carbon Black Cloud: What are the differences between API Bypass and Full Bypass

Environment

  • Carbon Black Cloud Console: All Versions
  • Carbon Black Cloud Sensor: 1.0.7.x and higher
  • Microsoft Windows: All Supported Versions
  • Mac OS: All Supported Versions

Question

What Policy Permissions rule Operations fall under Bypass and API Bypass?

Answer

When adding a Permissions rule to Bypass operations of a given application, there are two choices: “Performs any operation” or “Performs any API operation”
  • Performs any operation - the Sensor will bypass policy enforcement for all of the below operations. If interoperability issues persist with API bypass, then this option allows bypass of all network, file, and API operations for the specified application without placing the Sensor itself in full bypass. This type of permissions rule is inherited by child processes, and should be very limited in use.
  • Performs any API operation - the Sensor will only bypass Policy enforcement for the operations that fall under the API category. Ideally this option would be used to test first before selecting “Performs any operation” Bypass because it will only bypass API operations for the specified application, but will still allow the Sensor to have visibility into network and file operations. 
    Policy OperationsNetworkFileAPI
    Communicates over the networkX  
    Runs or is running X 
    Invokes a command interpreter X 
    Executes a fileless script X 
    Scrapes memory of another process  X
    Executes code from memory  X
    Injects code or modifies memory of another process  X
    Performs ransomware-like behavior:
    • modification of hidden files
     X 
    • manipulate shadow copies
     X 
    • write to MBR
      X

Additional Notes

  • Permissions rules where the Action is Bypass are essentially security holes where there is no visibility into what is being done by the specified application in the specified path
  • Best Practice is to keep these paths as specific as possible to avoid making too large of a hole and reducing the overall security posture of the selected Policy and all endpoints in it
  • As Permissions rules where 'Performs any operation' are inherited by the process tree of the listed process, it is critical to not to list system processes or files which run many things (winlogon.exe, svchost.exe, etc.)

Related Content


Was this article helpful? Yes No
72% helpful (5/7)
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
3172
Contributors