Enterprise EDR: Sensor Does Not Honor Bypass Exclusions
search cancel

Enterprise EDR: Sensor Does Not Honor Bypass Exclusions

book

Article ID: 285038

calendar_today

Updated On:

Products

Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Within ThreatHunter orgs that have Endpoint Standard Rules enabled or have both Endpoint Standard and Enterprise EDR, bypass rules do not appear to be honored as the console still shows Enterprise EDR data.

Environment

  • Carbon Black Cloud Console: All Versions
    • Endpoint Standard (formerly CB Defense)
    • Enterprise EDR (formerly CB ThreatHunter) 
  • PSC Sensor: 3.3.x.x and Higher
  • Microsoft Windows: All Supported Versions
  • Apple macOS:: All Supported Versions

Cause

Bypass rules created under the standard Policy pages do not apply to the Enterprise EDR portion of the sensor. This means that the sensor will still record events locally and upload these to the console despite a bypass rule in place.

Resolution

Event Reporting and Sensor Operation Exclusions Announcement

Additional Information

To validate the bypass rules are working on the EndPoint Standard side please review the following KB:
https://community.carbonblack.com/t5/Knowledge-Base/CB-ThreatHunter-How-to-determine-if-an-Event-is-from-CB-Defense/ta-p/78248
Procmon captures should not show ctiuser.dll injections for bypassed processes as Enterpise EDR doesn't require injection but EndPoint Standard does