Carbon Black Cloud: What Happens When Bypass has been Enabled on the device?
search cancel

Carbon Black Cloud: What Happens When Bypass has been Enabled on the device?

book

Article ID: 291964

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

What affect does enabling Sensor Bypass (Endpoints > Select Sensor > Take Action > Enable Bypass) have on Sensor activity?

Environment

  • Carbon Black Cloud Console: All Versions
  • Carbon Black Cloud Sensor: All Versions
  • Microsoft Windows: All Versions
  • Apple MacOS: All Versions

Resolution

Protection and Monitor Status

  • Policy Rules are not enforced so the Sensor is not actively protecting the device.
  • The Sensor will not send any new data to the Carbon Black Cloud console while it is in Bypass.

Remote Investigation

  • All device activity prior to Bypass being enabled will still be available on the Investigate Page in the Console.
  • Administrators can continue investigating a device from the PSC Console (Investigate Page, Live Response, Live Query, etc..) .
  • VMware Carbon Black Support will still be able to to pull sensor logs from the device while in quarantined mode
Local Sensor Activity
  • All Sensor services (cbdefense and cbdefenseWSC) will continue to run.
  • The Sensor still locally logs system information, such as CPU and memory use.
  • The Sensor maintains the local databases by removing stale records and removing files that have been deleted. 
  • The Sensor still checks in to confirm configuration, policy rules, and requested sensor actions.
  • Signature updates for local scanner still occur 
  • Repmgr is still running, it checks the reputations of any interesting files accessed.
  • This activity is recorded and stored locally though not uploaded to the Console