Carbon Black Cloud: What Happens When Bypass has been Enabled on the device?
book
Article ID: 291964
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
What affect does enabling Sensor Bypass (Endpoints > Select Sensor > Take Action > Enable Bypass) have on Sensor activity?
Environment
- Carbon Black Cloud Console: All Versions
- Carbon Black Cloud Sensor: All Versions
- Microsoft Windows: All Versions
- Apple MacOS: All Versions
Resolution
Protection and Monitor Status
- Policy Rules are not enforced so the Sensor is not actively protecting the device.
- The Sensor will not send any new data to the Carbon Black Cloud console while it is in Bypass.
Remote Investigation
- All device activity prior to Bypass being enabled will still be available on the Investigate Page in the Console.
- Administrators can continue investigating a device from the PSC Console (Investigate Page, Live Response, Live Query, etc..) .
- VMware Carbon Black Support will still be able to to pull sensor logs from the device while in quarantined mode
Local Sensor Activity
- All Sensor services (cbdefense and cbdefenseWSC) will continue to run.
- The Sensor still locally logs system information, such as CPU and memory use.
- The Sensor maintains the local databases by removing stale records and removing files that have been deleted.
- The Sensor still checks in to confirm configuration, policy rules, and requested sensor actions.
- Signature updates for local scanner still occur
- Repmgr is still running, it checks the reputations of any interesting files accessed.
- This activity is recorded and stored locally though not uploaded to the Console
Feedback
thumb_up
Yes
thumb_down
No