Carbon Black Cloud: What does BYPASS_POLICY TTP mean?
search cancel

Carbon Black Cloud: What does BYPASS_POLICY TTP mean?

book

Article ID: 292355

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

What does BYPASS_POLICY TTP mean? The Carbon Black Cloud User Guide does not provide sufficient information on the BYPASS_POLICY TTP.
 

Environment

  • Carbon Black Cloud Console
  • Carbon Black Sensor: All Supported Versions
  • Microsoft Windows: All Supported Versions

Resolution

  • BYPASS_POLICY TTP is set when we identify a driver callback that includes specially crafted command line arguments and an application attempted to bypass the device’s default security policy. See Cb Defense User Guide.
  • What this means is that BYPASS_POLICY TTP is added anytime the Sensor observes that something is trying to bypass the PowerShell execution policy. 

Additional Information

  • There are several ways that you can bypass the PowerShell execution policy. You can execute “powershell –ExecutionPolicy Bypass” and it will start a PowerShell session that allows for running scripts and keeps the lowered permissions isolated to just the current running process. Nothing is blocked and there are no warnings or prompts.  
  • You can also execute “powershell –ExecutionPolicy Unrestricted” and it will start a powershell that Loads all configuration files and runs all scripts. If you run an unsigned script that was downloaded from the Internet, you are prompted for permission before it runs. 
Powered by Wolken Software