EDR: Why are NetConns Reporting After Windows Exclusions Have Been Applied?
Article ID: 285251
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Why are netconns reported after the Windows exclusions have been applied?
Environment
- EDR Servers: 7.6.1 and higher
- EDR Windows Sensors: 7.3.0 and higher
Resolution
This is expected for the initial Windows exclusion release. Excluding the network communications is on the roadmap for a future release.
Additional Information
- The exclusion option 'Network connections' for Windows sensors is unused in the initial releases.
- The exclusion option 'Process information' for Windows sensors is unused since the process create, terminate and child messages are needed for data integrity.
- Tamper detection and protection take priority over Windows exclusions.
Feedback
Yes
No
Powered by
