Endpoints can start to generate more Windows Event Viewer event codes 5152 and5157 which are related to WFP filter after being upgraded to the 4.0.2.1540 sensor version.

• Carbon Black Cloud Console: Current version
• Carbon Black Cloud Windows Sensor:4.0.2.1540 and higher
• Microsoft Windows OS: All Supported versions

The CB Cloud Windows sensor has used WFP for many versions and there are some new blocks/detections that are taking advantage of this feature in 4.0.2.1540.

This is normal and expected behavior for the CB Cloud Windows sensor 4.0.2.1540 version.

https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/filter-origin-documentation