Carbon Black Cloud: What are the differences between API Bypass and Full Bypass
Carbon Black Cloud Console: All Versions
Carbon Black Cloud Sensor: 1.0.7.x and higher
Microsoft Windows: All Supported Versions
Mac OS: All Supported Versions
What Policy Permissions rule Operations fall under Bypass and API Bypass?
When adding a Permissions rule to Bypass operations of a given application, there are two choices: “Performs any operation” or “Performs any API operation”
Performs any operation - the Sensor will bypass policy enforcement for all of the below operations. If interoperability issues persist with API bypass, then this option allows bypass of all network, file, and API operations for the specified application without placing the Sensor itself in full bypass. This type of permissions rule is inherited by child processes, and should be very limited in use.
Performs any API operation - the Sensor will only bypass Policy enforcement for the operations that fall under the API category. Ideally this option would be used to test first before selecting “Performs any operation” Bypass because it will only bypass API operations for the specified application, but will still allow the Sensor to have visibility into network and file operations.
Communicates over the network
Runs or is running
Invokes a command interpreter
Executes a fileless script
Scrapes memory of another process
Executes code from memory
Injects code or modifies memory of another process
Performs ransomware-like behavior:
modification of hidden files
manipulate shadow copies
write to MBR
Permissions rules where the Action is Bypass are essentially security holes where there is no visibility into what is being done by the specified application in the specified path
Best Practice is to keep these paths as specific as possible to avoid making too large of a hole and reducing the overall security posture of the selected Policy and all endpoints in it
As Permissions rules where 'Performs any operation' are inherited by the process tree of the listed process, it is critical to not to list system processes or files which run many things (winlogon.exe, svchost.exe, etc.)