logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Enterprise EDR: Sensor Does Not Honor Bypass Exclusions

Enterprise EDR: Sensor Does Not Honor Bypass Exclusions

Environment

  • Carbon Black Cloud Console: All Versions
    • Endpoint Standard (formerly CB Defense)
    • Enterprise EDR (formerly CB ThreatHunter) 
  • PSC Sensor: 3.3.x.x and Higher
  • Microsoft Windows: All Supported Versions
  • Apple macOS:: All Supported Versions

Symptoms

Within ThreatHunter orgs that have Endpoint Standard Rules enabled or have both Endpoint Standard and Enterprise EDR, bypass rules do not appear to be honored as the console still shows Enterprise EDR data.

Cause

Bypass rules created under the standard Policy pages do not apply to the Enterprise EDR portion of the sensor. This means that the sensor will still record events locally and upload these to the console despite a bypass rule in place.

Resolution


Additional Notes

To validate the bypass rules are working on the EndPoint Standard side please review the following KB:
CB ThreatHunter: How to determine if an Event is from CB Defense data
Procmon captures should not show ctiuser.dll injections for bypassed processes as Enterpise EDR doesn't require injection but EndPoint Standard does

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎09-09-2020
Views:
751
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.