Configuring Exclusions for Core Prevention Rules
search cancel

Configuring Exclusions for Core Prevention Rules

book

Article ID: 292235

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

Steps to identify and remediate Alerts due to Core Prevention rules.

Environment

  • Carbon Black Cloud Console: All Versions
  • Carbon Black Cloud Sensor: All Supported Versions
  • Microsoft Windows: All Supported Versions

Resolution

  • Carbon Black Cloud allows for process-based exclusions in all six Core Prevention categories to allow for addressing false positives.
    • Advanced Scripting Prevention
    • Carbon Black Threat Intel
    • Credential Theft
    • Defense Evasion
    • Persistence
    • Privilege Escalation
  • As a general note, it is recommended to be as specific as possible when creating an exclusion and adding attributes, as broad exclusions can increase risk that undesired activity may not get blocked.

How to create an exclusion for Core Prevention rules:

  1. From the Console, navigate to Enforce > Policies > [Policy Name] > Prevention.
  2. Expand Core Prevention, then further expand the relevant Core Prevention category.
  3. Click the Add Exclusion button to add an exclusion.
  4. On the Add Exclusion page, choose a process type:
    • Parent process
    • Process
  5. Choose an attribute for the process type:
    • SHA-256: Allow a process with a specified hash to run. If the process hash changes, the exclusion must be updated accordingly.
    • Path: Allow an application to run from the specified path, regardless of the software version. Limit wildcards to keep the exclusion narrow.
    • CMD: Allow an application to run trusted commands or sets of commands (e.g. copying the process CMD value from the Alert).
    • Certificate: Allow a process signed by a specific certificate authority and publisher to run. If the certificate authority or publisher changes, the exclusion must be updated accordingly.
    Tip: Multiple values can be specified for a single attribute by clicking the Add (+) button, which will create a logical OR statement for that attribute (e.g. SHA-256 123 OR SHA-256 456).
  6. Specify additional attributes as needed by clicking Add another attribute and repeating steps 4-5.
    Tip: Adding multiple attributes creates a logical AND statement an execution must fit for the exclusion to apply (e.g. SHA-256 123 AND Path C:\ABC)
  7. Add a Note to the exclusion, if desired.
  8. Click Next, review summary, then click Save if summary is correct.
  9. Finally, click Save at the top of the Prevention page to finalize all pending changes. 

Additional Information

  • To identify Alerts caused by Core Prevention rules from the Alerts page, click the expand arrow under Actions to view Alert Details then, under "WHAT TRIGGERED THIS ALERT?", look for the Core Prevention category in the Rule field.
  • A short, three-minute demo of how to identify and remediate Core Prevention blocks can be found (Introducing Enhancements to our Core Prevention Exclusions) on Carbon Black Tech Zone.
  • Exclusions can be added for either the parent process or the primary process, which provides more options to exclude various use cases.
  • For either the parent or primary process, the process path, command line, hash, or certificate information can be specified.
  • Wildcards can be used to specify files or directories for the path, command line, and certificate fields.