Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
A frequent regmod to a specific registry location from a third party security product will be excluded
A frequent crossproc (opening handles to all processes repeatedly) by a third party security product will be excluded
Repeated netconns by any single process to any unique remote IP:port combination will be excluded
Environment
CB ThreatHunter Web Console: All Versions
CB PSC Windows Sensor: 3.4.x.x and higher
Microsoft Windows: All Supported Versions
Cause
There is a cloud-driven change coming this week to ease network loads and minimize redundancy in VMware Carbon Black Cloud Enterprise EDR event data.
Resolution
VMware Carbon Black has performed a deep analysis of the most repetitive events aggregated across all customers, and have designed surgical rules to exclude these events from all Enterprise EDR customers' sensor traffic.
Additional Information
While every endpoint and workload is different, based on initial findings VMware Carbon Black expects that most customers could see on average a 20% reduction in the number of sent events, ranging for most customers between 10 - 30%.