Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Environment

Endpoint Standard Sensor: 3.4.x version and below
Microsoft Windows: All Supported Versions

Objective

Provide steps to verify the current bypass status of the Windows Defense Sensor locally.

Resolution

Open an elevated command window on the endpoint to be checked.

Issue the following command

reg query "HKLM\System\CurrentControlSet\Services\CbDefense"

Examine the output for the subkey "Passthru",
1. If the subkey exists and it's value is at 0x1, the sensor is in bypass mode

Additional Notes

If the sensor is not in Bypass, then Passthru REG_DWORD will not be displayed.
For version 1 (1.0.6.196 and earlier), use the following command (Confer Sensor Service in place of CbDefense): reg query "HKLM\System\CurrentControlSet\Services\Confer Sensor Service"
For version 3.5.x and above, use the Repcli method to verify the sensor bypass status by following Click Here

Related Content

Cb Defense: How To Enable and Disable Bypass Via Command Line (Windows)
Endpoint Standard: How to Verify Sensor Status With RepCLI

Article Information

Author:

Creation Date:

‎11-20-2018

Views:

1323

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.