Sensor does not apply policy "Bypass" action permission rules
search cancel

Sensor does not apply policy "Bypass" action permission rules

book

Article ID: 285038

calendar_today

Updated On:

Products

Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Within EEDR orgs that have Endpoint Standard Rules enabled or have both Endpoint Standard and Enterprise EDR, bypass rules do not appear to be honored as the console still shows Enterprise EDR data.

Environment

  • Carbon Black Cloud Console: All Versions
    • Endpoint Standard (formerly CB Defense)
    • Enterprise EDR (formerly CB ThreatHunter) 
  • PSC Sensor: 3.3.x.x and Higher
  • Microsoft Windows: All Supported Versions
  • Apple macOS:: All Supported Versions

Cause

Bypass rules created under the standard Policy pages do not apply to the Enterprise EDR portion of the sensor. This means that the sensor will still record events locally and upload these to the console despite a bypass rule in place.

Resolution

Use the Event Reporting and Sensor Operation Exclusions from the User Guide to create the necessary exclusions for processes/paths.

Additional Information

  • Procmon captures should not show ctiuser.dll injections for bypassed processes as Enterprise EDR doesn't require injection but Endpoint Standard does.