CB Defense: What Happens With An API Bypass Rule and Additional Operation Attemps Are Added For The Same Process?
book
Article ID: 285135
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
When configuring an 'Allow', 'Allow & Log', or 'Performs any API operation' > Bypass rule for a process, will the remaining Operation Attempt logging resume if selected?
Environment
CB Defense PSC Console: All Versions
CB Defense Sensor: All Versions
Microsoft Windows: All Supported Versions
Apple macOS: All Supported Versions
Resolution
When adding a 'Performs any API operation' bypass rule for a process and other rules are desired, the API bypass will take precedence.
Additional Information
'Performs ransomware-like behavior' is one exception as that is handled by canary file detection.