Carbon Black Cloud: How to Disable Core Prevention Rules
Article ID: 292285
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Provide steps for disabling individual Core Prevention rule-sets
Environment
- Carbon Black Console: April 2022 Release (0.77.x) and Higher
- Carbon Black Cloud Windows Sensor: 3.6.x.x and Higher
- Microsoft Windows: All Supported Versions
Resolution
- Go to Enforce > Policies > Prevention Tab
- Expand Section “Core Prevention”
- Click desired Core Prevention name
Advanced Scripting Prevention (Windows AMSI) Emerging Threats Credential Theft Privilege Escalation Ransomware
- Toggle blocking as desired
"Alert only" OR "Block and Alert" Recommended
Additional Information
The primary recommendation when a Core Prevention rule is causing a block is to create a Core Prevention exclusion, rather than disabling blocking.
Feedback
Yes
No
Powered by
