cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Access VMworld content on-demand if you missed the event. 70+ security focused sessions were offered -- access requires registration.

EDR: Which Sensor directories need exclusion from 3rd party anti-virus scans?

EDR: Which Sensor directories need exclusion from 3rd party anti-virus scans?

Environment

  • EDR Sensor: All Versions
  • Microsoft Windows: All Supported Versions
  • Linux: All Supported Versions
  • Apple MacOS: All Supported Versions

Question

  • Which EDR Sensor directories should you exclude from 3rd party AV software scans?

Answer


Recommended folders and processes to exclude from 3rd party Anti-virus scans:
 
Operating SystemSensor VersionPath and Process
Windows7.1.0 and Higher
  • %WINDIR%\CarbonBlack\*
  • %WINDIR%\CarbonBlack\cb.exe
  • C:\Program Files\CarbonBlack\CbEDRAMSI.dll
  • C:\Program Files (x86)\CarbonBlack\CbEDRAMSI.dll
Windows7.0.1 and Lower
  • %WINDIR%\CarbonBlack\*
  • %WINDIR%\CarbonBlack\cb.exe
macOS/OS X6.2.7 and Lower
  • /var/lib/cb/*
  • /Applications/CarbonBlack/CbOsxSensorService
  • /Applications/CarbonBlack/CbDigitalSignatureHelper
  • /System/Library/Extensions/CbOsxSensorNetmon.kext
  • /System/Library/Extensions/CbOsxSensorProcmon.kext
macOS/OS X
 
6.3.0 and Higher
  • /var/lib/cb/*
  • /Applications/VMware Carbon Black EDR.app/Contents/MacOS/CbOsxSensorService
  • /Applications/VMware Carbon Black EDR.app/Contents/XPCServices/CbDigitalSignatureHelper.xpc
  • /System/Library/Extensions/CbOsxSensorNetmon.kext
  • /System/Library/Extensions/CbOsxSensorProcmon.kext
Linux 6.2.0 and Lower
  • /var/lib/cb/*
  • /etc/init.d/cbdaemon
  • /etc/rc*/*cbdaemon
  • /usr/sbin/cbdaemon
  • /etc/sysconfig/modules/cbresponse.modules
Linux 6.2.1 and Higher
  • /var/opt/carbonblack/response/*
  • /etc/init.d/cbdaemon
  • /usr/sbin/cbdaemon
  • /opt/carbonblack/response/*
  • /etc/sysconfig/modules/cbresponse.modules

Additional Notes

  • The EDR Sensor performs reads and writes to the sensor's installation root directories. With AV products continually scanning the directory contents, these exclusions will help eliminate interoperability that can cause performance issue and ensure proper coexistence.
  • Some vendors require a trailing asterisk (*) when entering exclusions. Sub-folders should be included in the exclusion. Please refer to the vendor's documentation.
  • Windows Defender is enabled by default on Windows machines and also requires these exclusions.
  • If you are utilizing a custom Sensor Process Name add the customized process name to the AV application exclusions list.
  • Please review vendor documentation for exclusions implementation steps.
  • For McAfee EPO you may also need to exclude c:\windows\carbonblack\cb.exe from its "Prevent creation of new executable files in the Windows folder" option

Related Content


Labels (1)
Was this article helpful? Yes No
75% helpful (3/4)
Article Information
Author:
Creation Date:
‎11-21-2018
Views:
5964