EDR: Why are Events Appearing After Windows Exclusions Have Been Created?
book
Article ID: 285242
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Why are events continuing to appear after Windows exclusions have been added to the sensor group?
Environment
EDR Server: 7.6.1 and higher
EDR Windows Sensor: 7.3.0 and higher
Resolution
This is expected. The Regmods, Filemods and Modloads totals should be blank for the event, yet each processes create, terminate and child messages are sent to the server for data integrity and comprehensive tree view.
If excluded Events appear with Regmods, Filemods and/or Modloads, check the executable path provided for case sensitivity and spelling.
Additional Information
The process exclusion can be configured to not report regmods, filemods and modloads.
The network connections continue to be recorded also and are on the roadmap for future release.