EDR: Why are Events Appearing After Windows Exclusions Have Been Created?
search cancel

EDR: Why are Events Appearing After Windows Exclusions Have Been Created?

book

Article ID: 285242

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Why are events continuing to appear after Windows exclusions have been added to the sensor group?

Environment

  • EDR Server:  7.6.1 and higher
  • EDR Windows Sensor:  7.3.0 and higher

Resolution

  • This is expected.  The Regmods, Filemods and Modloads totals should be blank for the event, yet each processes create, terminate and child messages are sent to the server for data integrity and comprehensive tree view.
  • If excluded Events appear with Regmods, Filemods and/or Modloads, check the executable path provided for case sensitivity and spelling.

Additional Information

  • The process exclusion can be configured to not report regmods, filemods and modloads.
  • The network connections continue to be recorded also and are on the roadmap for future release.
Powered by Wolken Software