Verifing Bypass Mode from the Console
Article ID: 290182
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Carbon Black Cloud Audit and Remediation
Carbon Black Cloud Audit and Remediation (formerly Cb Live Ops)
Carbon Black Cloud Endpoint Standard
Carbon Black Cloud Enterprise EDR
Carbon Black Cloud Managed Detection (formerly Cb Threatsight)
Carbon Black Cloud Managed Detection and Response
Carbon Black Cloud Managed Threat Hunting
Issue/Introduction
How to verify Bypass Mode from the Carbon Black Cloud Console
Environment
- Carbon Black Cloud Console: All Versions
- Carbon Black Cloud Sensor: All Versions
- Microsoft Windows: All Versions
- Apple MacOS: All Versions
Resolution
Endpoints Page
In order for Sensor Bypass actions to take effect, the sensor must check-in to the Carbon Black Cloud backend. Typically this occurs every 5-10 minutes.- Search for the device where Bypass was Enabled. Status can be changed to "All" to widen the search scope or "Bypass" to narrows the search scope.
- Under Device Last Check-In there will be one of two bypass descriptions:
- Sensor Bypass (User Action) - An end user placed the sensor in bypass from the Sensor UI, if this is enabled. See How to Enable\Disable Bypass from the Sensor UI
Knowledge Base and - Sensor Bypass (Admin Action) - An administrator placed the sensor in bypass from the CB Defense PSC Web Console. See How to Enable\Disable Bypass from the Web Console?
Knowledge Base
- Sensor Bypass (User Action) - An end user placed the sensor in bypass from the Sensor UI, if this is enabled. See How to Enable\Disable Bypass from the Sensor UI
Inbox Page
Triggered: Admin requested Bypass via Console Sent to Sensor: Sensor checked into Console, received Bypass hint
- Bypass Enabled
REQUEST TIME
DEVICE SUBTYPE STATUS REQUESTED BY ACTION Date/Time {InstalledBy} / {DeviceName} Bypass Triggered {AdminEmail} On Date/Time {InstalledBy} / {DeviceName} Bypass Sent to Sensor {AdminEmail} On
- Bypass Disabled
REQUEST TIME
DEVICE SUBTYPE STATUS REQUESTED BY ACTION Date/Time {InstalledBy} / {DeviceName} Bypass Triggered {AdminEmail} Off Date/Time {InstalledBy} / {DeviceName} Bypass Sent to Sensor {AdminEmail} Off
Additional Information
Sensor UI Taskbar Icon Meanings
| Pre 3.5 | Post 3.5 | Sensor Mode |
| Active | ||
| Bypass | ||
| Quarantine |
The Sensor Bypass (Admin Action) status is currently used as the default reason if there is a driver failure as well. So this status does not always mean that an Admin initiated the bypass.
Feedback
Yes
No
Powered by
