CB Defense: What Happens With An API Bypass Rule and Additional Operation Attemps Are Added For The Same Process?
search cancel

CB Defense: What Happens With An API Bypass Rule and Additional Operation Attemps Are Added For The Same Process?

book

Article ID: 285135

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

When configuring an 'Allow', 'Allow & Log', or 'Performs any API operation' > Bypass rule for a process, will the remaining Operation Attempt logging resume if selected?

Environment

  • CB┬áDefense PSC Console: All Versions
  • CB Defense Sensor: All Versions
  • Microsoft Windows: All Supported Versions
  • Apple macOS: All Supported Versions

Resolution

When adding a 'Performs any API operation' bypass rule for a process and other rules are desired, the API bypass will take precedence.

Additional Information

'Performs ransomware-like behavior' is one exception as that is handled by canary file detection.