logo

Knowledge Base

Access official resources from Carbon Black experts

Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: Why are Events Appearing After Windows Exclusions Have Been Created?

EDR: Why are Events Appearing After Windows Exclusions Have Been Created?

Environment

  • EDR Server:  7.6.1 and higher
  • EDR Windows Sensor:  7.3.0 and higher

Question

Why are events continuing to appear after Windows exclusions have been added to the sensor group?

Answer

  • This is expected.  The Regmods, Filemods and Modloads totals should be blank for the event, yet each processes create, terminate and child messages are sent to the server for data integrity and comprehensive tree view.
  • If excluded Events appear with Regmods, Filemods and/or Modloads, check the executable path provided for case sensitivity and spelling.

Additional Notes

  • The process exclusion can be configured to not report regmods, filemods and modloads.
  • The network connections continue to be recorded also and are on the roadmap for future release.

Related Content


Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎03-22-2022
Views:
591
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.