EDR: Can Already Running Processes be Ingress Filtered?
search cancel

EDR: Can Already Running Processes be Ingress Filtered?

book

Article ID: 285691

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response) Carbon Black Hosted EDR (formerly Cb Response Cloud)

Issue/Introduction

Can an already running process be filtered by an ingress filter? 

Environment

  • EDR Server: All Versions

Resolution

No, an already running process GUID has been added to a cache as a "non-filter" to enhance performance and will continue to be allowed. 

Additional Information

  • For on-prem customers a restart of cb-datastore service will clear the cache and can be built up. 
  • When using descendent filtering, if a process is filtered and does not do anything new to be added to the cleared cache, the descendents will continue to be not be filtered. 
  • CB-37587 has been created to enhance the ingress filter by clearing the cache to reset any matches that are listed as 'non-filtered' previously.

 
Powered by Wolken Software