Enterprise EDR: Sensor Does Not Honor Bypass Exclusions
search cancel

Enterprise EDR: Sensor Does Not Honor Bypass Exclusions


Article ID: 285038


Updated On:


Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)


Within ThreatHunter orgs that have Endpoint Standard Rules enabled or have both Endpoint Standard and Enterprise EDR, bypass rules do not appear to be honored as the console still shows Enterprise EDR data.


  • Carbon Black Cloud Console: All Versions
    • Endpoint Standard (formerly CB Defense)
    • Enterprise EDR (formerly CB ThreatHunter) 
  • PSC Sensor: 3.3.x.x and Higher
  • Microsoft Windows: All Supported Versions
  • Apple macOS:: All Supported Versions


Bypass rules created under the standard Policy pages do not apply to the Enterprise EDR portion of the sensor. This means that the sensor will still record events locally and upload these to the console despite a bypass rule in place.


Event Reporting and Sensor Operation Exclusions Announcement

Additional Information

To validate the bypass rules are working on the EndPoint Standard side please review the following KB:
Procmon captures should not show ctiuser.dll injections for bypassed processes as Enterpise EDR doesn't require injection but EndPoint Standard does