Cb Defense: Why do Events in Console Include Bypassed Application Paths?
Article ID: 291237
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
Why do bypassed applications and paths still show up in some Events in the Console?
Environment
- Cb Defense PSC Console: All Versions
- Cb Defense Sensor: All Versions
- Microsoft Windows: All Supported Versions
Resolution
It is expected that Bypassed applications and paths will still register in Events for the following reasons:
- Startup processes are logged by Sensor regardless of Policy settings
- The application may be attempting to perform actions on protected processes (such as scraping lsass.exe memory)
- The application or path is being called from an application or path which is not bypassed
Feedback
Yes
No
Powered by
