Event Reporting & Sensor Operation Exclusions not working as expected on 3.6+ sensors
search cancel

Event Reporting & Sensor Operation Exclusions not working as expected on 3.6+ sensors

book

Article ID: 370291

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter) Carbon Black Cloud Endpoint Standard Carbon Black Cloud Enterprise EDR

Issue/Introduction

Applied Event Reporting & Sensor Operation Exclusions to a policy with 3.6+ Windows sensors; however, the exclusions are not working as designed.

Environment

  • Carbon Black Cloud Console: Current Version
  • Carbon Black Cloud Sensor: 3.6.x and higher
  • Microsoft Windows: All Supported Versions

Cause

The Event Reporting & Sensor Operation Exclusions Announcement suggests that the exclusions are supported on Windows sensors 3.6+, but are most effective on Windows sensors 4.0+.

Resolution

If the exclusions are not working as expected on sensor versions 3.6.x through 3.9.x, upgrade to 4.0.1 (MR1) or greater sensor version to take advantage of all the Event Reporting & Sensor Operation Exclusions functionality.

Additional Information

  • 'Event reporting and sensor operations' exclusions (ES-only or EEDR-only) and 'NGAV reporting and sensor operations' and 'All reporting and sensor operations' exclusions (ES+EEDR) are most effective on Windows sensors 4.0+
  • 'Event reporting' exclusions (EEDR-only or ES+EEDR) are equally effective on Windows sensors 3.6+
Powered by Wolken Software