EDR: Create Windows Exclusions
search cancel

EDR: Create Windows Exclusions

book

Article ID: 287616

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

How to create Windows Exclusions within a Sensor Group.

Environment

  • EDR Server: 7.6.1 and higher
  • EDR Windows Sensor: 7.3.0 and higher

Resolution

  1. Modify /etc/cb/cb.conf to include:  
    EventExclusionsEnabled=True
  2. Restart the EDR server or cluster.
  3. In the EDR console, Sensors > Groups, click the gear icon next to the sensor group.
  4. Expand Exclusions bar and click Add Exclusion button.
  5. Add one or more path, one path per line. See examples below.
  6. Select the options below to filter for that path.  ('Process information' and 'Network connections' options are ignored)
  7. Click 'Ok' button.
  8. Click 'Save Group' button.

Additional Information

  • Paths are for process backed binary executables (.exe).
  • Paths are case sensitive.
  • Paths must not contain forward slashes.
  • Paths must contain a drive letter, a valid environment variable (which yields a drive letter) or a wildcard prior to the fist backslash.
  • Paths may contain multiple wildcard characters.
  • Valid path exclusion examples:
C:\somefile.exe
C:\somedir\somefile.exe
C:\*\somefile.exe
*\somefile.exe
*somefile.exe
*\somedir\some*file.exe
%SystemRoot%\System32\cmd.exe

 
Powered by Wolken Software