Carbon Black Cloud: How to Verify the Sensor is in Bypass mode locally (Windows)
search cancel

Carbon Black Cloud: How to Verify the Sensor is in Bypass mode locally (Windows)

book

Article ID: 292145

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

  • Provide steps to verify the current bypass status of the Windows Defense Sensor locally.

Environment

  • Carbon Black Cloud Sensor: 3.4.x version and below
  • Microsoft Windows: All Supported Versions

Resolution

  1. Open an elevated command window on the endpoint to be checked.
  2. Issue the following command 
    reg query "HKLM\System\CurrentControlSet\Services\CbDefense"
  3. Examine the output for the subkey "Passthru",
    1. If the subkey exists and it's value is at 0x1, the sensor is in bypass mode

Additional Information

  • For version 3.5.x and above, use the Repcli method to verify the sensor bypass status by following Click Here
  • If the sensor is not in Bypass, then Passthru REG_DWORD will not be displayed.
  • For version 1 (1.0.6.196 and earlier), use the following command (Confer Sensor Service in place of CbDefense): reg query "HKLM\System\CurrentControlSet\Services\Confer Sensor Service"
Powered by Wolken Software