Endpoint Standard: How to disable Endpoint Standard Reporting & Enforcement with Policy Rules
Article ID: 292184
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
How to disable Endpoint Standard with Policy Rules
Environment
- Endpoint Standard (was CB Defense): All Versions
Resolution
At this time Endpoint Standard cannot be fully disabled using the default Policy settings available. However, as a workaround Endpoint Standard Enforcement & Reporting can be partially disabled using Policy Rules with a few exceptions and caveats. See Additional Notes for details.
- Log into the Carbon Black Console
- Go to Enforce > Policies > Prevention Tab
- Select Add Application Path
- Enter Application(s) at path:
**
- Select OPERATION ATTEMPT "Performs any operation"
- Select ACTION "Bypass"
- Select the Confirm button
- Select Save (top or bottom of the page)
Additional Information
- This KB will be updated when official support for disabling Endpoint Standard at the policy level is available.
- If a standalone double wildcard, ** , is used, the sensor is still active, but (defense) Endpoint Standard policy enforcement is disabled and the sensor will not report events.
- Disabling Endpoint Standard using standalone double wildcard can have some unintentional side effects. i.e. Background Scan Completes without scanning bypassed files and never runs again
- The sensor will continue to perform signature pack updates, scan for malicious services, evaluate dynamic rules, enforce tamper protection and Enterprise EDR dynamic rules will continue to report events since those rules aren't enforced by Endpoint Standard policies
- Some Core Prevention rules can only be disabled using API bypass and other Core Prevention rules will continue to be evaluated and enforced regardless of bypass policy rules
Feedback
Yes
No
Powered by
