CB Response: Process Exclusions for OSX does not catch all instances
Article ID: 287916
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Process exclusion for OSX does not catch all instances
Environment
- Carbon Black Response Sensor: 5.x and above
- Apple MacOS: All Supported Versions
Cause
- Processes such as launchd that start as part of the boot sequence ahead of the sensor daemon and/or launches the sensor itself will not be excluded.
- If an already running system process loading a new image during the boot sequence it will also not be excluded.
Resolution
This is currently working as designed.
Additional Information
A feature request has been created to improve upon this feature. Response Process Exclusion: Cannot exclude processes launched at start (Mac Sensor)
Feedback
Yes
No
Powered by
