What are the differences between API Bypass and Full Bypass
book
Article ID: 289877
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
What Policy Permissions rule Operations fall under Bypass and API Bypass?
Environment
Carbon Black Cloud Console: All Versions
Carbon Black Cloud Sensor: 1.0.7.x and higher
Microsoft Windows: All Supported Versions
Mac OS: All Supported Versions
Resolution
When adding a Permissions rule to Bypass operations of a given application, there are two choices: “Performs any operation” or “Performs any API operation”
Performs any operation - the Sensor will bypass policy enforcement for all of the below operations. If interoperability issues persist with API bypass, then this option allows bypass of all network, file, and API operations for the specified application without placing the Sensor itself in full bypass. This type of permissions rule is inherited by child processes, and should be very limited in use.
Performs any API operation - the Sensor will only bypass Policy enforcement for the operations that fall under the API category. Ideally this option would be used to test first before selecting “Performs any operation” Bypass because it will only bypass API operations for the specified application, but will still allow the Sensor to have visibility into network and file operations.
Policy Operations
Network
File
API
Communicates over the network
X
Runs or is running
X
Invokes a command interpreter
X
Executes a fileless script
X
Scrapes memory of another process
X
Executes code from memory
X
Injects code or modifies memory of another process
X
Performs ransomware-like behavior:
modification of hidden files
X
manipulate shadow copies
X
write to MBR
X
Additional Information
Permissions rules where the Action is Bypass are essentially security holes where there is no visibility into what is being done by the specified application in the specified path
Best Practice is to keep these paths as specific as possible to avoid making too large of a hole and reducing the overall security posture of the selected Policy and all endpoints in it
As Permissions rules where 'Performs any operation' are inherited by the process tree of the listed process, it is critical to not to list system processes or files which run many things (winlogon.exe, svchost.exe, etc.)