EDR: How to exclude "c:\windows\carbonblack\upgrade\upgrade.exe" process from Tamper Detection alliance feed
search cancel

EDR: How to exclude "c:\windows\carbonblack\upgrade\upgrade.exe" process from Tamper Detection alliance feed

book

Article ID: 291175

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • Exclude "c:\windows\carbonblack\upgrade\upgrade.exe" process from Tamper Detection alliance feed
  • Suppress corresponding alerts for CarbonBlack Sensor upgrade.exe process from Tamper Detection alliance feed

Environment

  • EDR Console: All Supported Versions
  • EDR Server: All Supported Versions

Resolution

  1. Ensure that "Tamper Detection alliance feed" is enabled with alerts on trigger option disabled
  2. Create a new watchlist using query:  
    (alliance_score_cbtamper:*) AND -path:"c:\windows\carbonblack\upgrade\upgrade.exe"
  3. Enable alerts for this watchlist
Powered by Wolken Software