Create Windows Exclusions
Article ID: 287616
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
How to create Windows Exclusions within a Sensor Group.
Environment
- EDR Server: 7.6.1 and higher
- EDR Windows Sensor: 7.3.0 and higher
Resolution
- Modify /etc/cb/cb.conf to include:
EventExclusionsEnabled=True
- Restart the EDR server or cluster.
- The value only has to be added to the Primary server but can also be added to the Secondary servers.
- In the EDR console, Sensors > Groups, click the gear icon next to the sensor group.
- Expand Exclusions bar and click Add Exclusion button.
- Add one or more path, one path per line. See examples below.
- Select the options below to filter for that path. ('Process information' and 'Network connections' options are ignored)
- Click 'Ok' button.
- Click 'Save Group' button.
Additional Information
- Paths are for process backed binary executables (.exe).
- Paths are case sensitive.
- Paths must not contain forward slashes.
- Paths must contain a drive letter, a valid environment variable (which yields a drive letter) or a wildcard prior to the fist backslash.
- Paths may contain multiple wildcard characters.
- Valid path exclusion examples:
C:\somefile.exe C:\somedir\somefile.exe C:\*\somefile.exe *\somefile.exe *somefile.exe *\somedir\some*file.exe %SystemRoot%\System32\cmd.exe
Feedback
Yes
No
Powered by
