Environment
- Endpoint Standard (was CB Defense): All Versions
Objective
How to disable Endpoint Standard with Policy Rules
Resolution
At this time Endpoint Standard cannot be fully disabled using the default Policy settings available. However, as a workaround Endpoint Standard Enforcement & Reporting can be partially disabled using Policy Rules with a few exceptions and caveats. See Additional Notes for details.
- Log into the Carbon Black Console
- Go to Enforce > Policies > Prevention Tab
- Select Add Application Path
- Enter Application(s) at path:
- Select OPERATION ATTEMPT "Performs any operation"
- Select ACTION "Bypass"
- Select the Confirm button
- Select Save (top or bottom of the page)
Additional Notes
- This KB will be updated when official support for disabling Endpoint Standard at the policy level is available.
- If a standalone double wildcard, ** , is used, the sensor is still active, but (defense) Endpoint Standard policy enforcement is disabled and the sensor will not report events.
- Disabling Endpoint Standard using standalone double wildcard can have some unintentional side effects. i.e. Background Scan Completes without scanning bypassed files and never runs again
- The sensor will continue to perform signature pack updates, scan for malicious services, evaluate dynamic rules, enforce tamper protection and Enterprise EDR dynamic rules will continue to report events since those rules aren't enforced by Endpoint Standard policies
- Some Core Prevention rules can only be disabled using API bypass and other Core Prevention rules will continue to be evaluated and enforced regardless of bypass policy rules