NGAV Reporting and Sensor Operations Exclusions only apply to Carbon Black Cloud Endpoint Standard because Carbon Black Cloud Endpoint Standard is a next-generation antivirus (NGAV) solution. Accordingly, NGAV Reporting and Sensor Operations Exclusions impact Carbon Black Cloud Endpoint Standard reporting, which is in the form of Observations and Alerts, and sensor operations.
NGAV Reporting and Sensor Operations Exclusions are similar in concept to the Permissions feature that is available to Carbon Black Cloud Endpoint Standard customers; however, because they are more customizable, they enable the creation of narrower, more precise exclusions.
NGAV Reporting and Sensor Operations Exclusions address a few shortcomings of Permission rules:
- When specifying the process criteria to which a Permissions rule applies, you can only specify the file path of the process.
- Inheritance is non-configurable; Permissions apply to descendant processes by default.
- Permissions rules apply to the specified process in the context of it being the initiator of process activity (the source file path of the actor process) and in the context of it being the target of activity (the target file path of the target process).
NGAV Reporting and Sensor Operations Exclusions:
- Support specification of one or more Process and/or Parent Process attributes:
- Certificate
- CMD
- Path
- SHA256
- Support configurable inheritance by descendant processes.
- Apply to the specified process and/or parent process criteria only in the context of that criteria defining the actor process, not the target process.
Impacted:
- Reporting of the following Observation types for the excluded process criteria:
- Blocked hash
- CB Analytics
- Contextual activity
- Host-based Firewall (if applicable)
- Intrusion Detection System (if applicable)
- Network Traffic Analysis (if applicable)
- TAU intelligence
- Relevant blocks and preventions, including hash bans and Core Preventions
Not Impacted:
- Reporting of the Indicator of Attack Observation type for the excluded process criteria
- Reporting of process events, including process creations and terminations
- Relevant Watchlist detections and the reporting of hits and alerts associated with those detections
- Sensor tamper detection and protection. Tamper Observations that pertain to the excluded process criteria persist.