The Core Prevention policy rules will DENY or TERMINATE processes based on their target file reputation; however, the Core Prevention exclusions only have the ability to include Parent Processes and Processes, which does not prevent the rule from applying.

• Carbon Black Cloud Console: Current Version
• Carbon Black Cloud Windows Sensor: All Supported Versions
• Microsoft Windows OS: All Supported Versions

Processes like command interpreters can execute scripts and fileless actions that match Core Prevention rules, but the target of the block action is not the Process (cmd interpreter) itself.

The Core Prevention Exclusions functionality is not going to be relevant to preventing the DENY or TERMINATE actions in some situations because the CBC console only provides options to exclude the PARENT PROCESS or the PROCESS value and not the TARGET value.

WORKAROUND:

• Use the Reputation function to apply an Allow Reputation to the target file (by path or sha256hash) that is getting blocked by the Core Prevention policy rule.

Core Prevention Exclusion improvement is a feature request that has been in the works for a while and with the next feature update for Core Preventions we do expect to add this functionality to include target files to prevent them from triggering Core Prevention policy.