Endpoint Standard: What is the Purpose of the Monitored Policy?
Carbon Black Cloud Console: July '17 Release (0.30.0) and Higher
What is the purpose of the Monitored policy?
As the name implies, the policy monitors all application activity on an endpoint and logs these events to the Dashboard, which allows administrators evaluate all application activity prior to any policy rule implementation.
In terms of enforcement, the policy has very limited preventive capability, sensors assigned to this policy will allow most activity, except for malware, Potentially Unwanted Programs (PUPs) and living-off-the-land software used by adversaries to disable the sensor, as part of its tamper protection functionality.
The Monitored policy is provided to customers that had Carbon Black Cloud deployed after the July '17 backend update
The Monitored policy can have custom rules added to it in order to block applications but doesn't by default
The Monitored policy may still encounter internal rules blocks for lsass.exe similar to this
Local scan is disabled by default within the Monitored policy