Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Endpoint Standard: What is the Purpose of the Monitored Policy?

Endpoint Standard: What is the Purpose of the Monitored Policy?

Environment

  • Carbon Black Cloud Console: July '17 Release (0.30.0) and Higher
    • Endpoint Standard

Question

What is the purpose of the Monitored policy?

Answer

As the name implies, the policy monitors all application activity on an endpoint and logs these events to the Dashboard, which allows administrators evaluate all application activity prior to any policy rule implementation.

In terms of enforcement, the policy has very limited preventive capability, sensors assigned to this policy will allow most activity, except for malware, Potentially Unwanted Programs (PUPs) and living-off-the-land software used by adversaries to disable the sensor, as part of its tamper protection functionality.


Additional Notes

  • The Monitored policy is provided to customers that had Carbon Black Cloud deployed after the July '17 backend update
  • The Monitored policy can have custom rules added to it in order to block applications but doesn't by default
  • The Monitored policy may still encounter internal rules blocks for lsass.exe similar to this
  • Local scan is disabled by default within the Monitored policy

Related Content


Was this article helpful? Yes No
50% helpful (1/2)
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
2455
Contributors