Setting up Exclusions in the Carbon Black Cloud Console for AV Products
search cancel

Setting up Exclusions in the Carbon Black Cloud Console for AV Products

book

Article ID: 292337

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

Set up exclusions for an AV product in the Carbon Black Cloud Console

Environment

  • Carbon Black Cloud Console: All Versions
  • Endpoint Standard (Formerly CB Defense)

Resolution

  1. Log in to the Carbon Black Cloud Console
  2. Go to Enforce > Policies
  3. Select the desired Policy and click on the Prevention tab (See NOTE, in additional Notes Section)
  4. Click plus sign (+) next to "Permissions" section (If this section has already been expanded you will not see the + sign, until the - sign has been clicked and the section collapses)
  5. Click "Add application path" in "Permissions" section
  6. Enter the recommended file/folder exclusions from the appropriate security vendor
    Example Exclusion:
    *:\Program Files\McAfee\**
  7. Check "Bypass" option box for "Performs Any Operation"
  8. Click "Confirm"

Additional Information

  • Always carefully consider risks and benefits of setting up a permission rule for any application.
  • Search online for the recommendations from the vendor of the 3rd party software in relation to scanning AV (the closest thing to NGAV currently being called out)
  • Endpoint Standard sensor may interfere with an AV product installed on the same system. According to different policy rules, the Endpoint Standard sensor may prevent AV from taking actions to files or system.
    • For example, if a "known malware" blocking policy rule exists in device group, the Endpoint Standard sensor may block an AV product from accessing malicious files per that policy rule. This may prevent AV from being able to scan or quarantine malicious files.
    • This kind of interference is not an interoperability issue with an AV product, but a normal policy action with Endpoint Standard working as designed. In order to prevent this kind of interference, permissions need to be set up for respective AV folders/executables following the steps above
  • Refer to https://community.carbonblack.com/t5/Knowledge-Base/Endpoint-Standard-How-to-Create-Policy-Blocking-Isolation-and/ta-p/65941 for more information on permissions settings, correct syntax, etc.
  • NOTE: If no permissions or other Settings are visible, you have an EEDR Only Org and this article does not apply, as no exclusions can be created