There are two primary types of exclusions: Event Reporting Exclusions, and Event Reporting and Sensor Operations Exclusions.
Event Reporting Exclusions
Event Reporting Exclusions are used to reduce network bandwidth consumption or to eliminate noise caused by the reporting of high-volume, routine process events. These exclusions are appropriate for resolving network performance issues.
Because these exclusions are enforced by the sensor, excluded process events are not sent from the sensor to Carbon Black Cloud. This reduces the amount of data that is sent over the network and made consumable through the API and Carbon Black Cloud console.
Event Reporting and Sensor Operations Exclusions
Event Reporting and Sensor Operations Exclusions are used to reduce the sensor’s endpoint resource consumption, such as CPU or memory consumption. These exclusions are appropriate for resolving endpoint performance issues or interoperability issues with third-party software.
Event Reporting and Sensor Operations Exclusions are a more severe form of exclusion relative to Event Reporting Exclusions. They are additive because they exclude event reporting and sensor operations that would otherwise be performed by the Carbon Black Cloud sensor, such as hash reporting and banning, reputation and signature determinations, and detections.
Customers who have Carbon Black Cloud Endpoint Standard and Carbon Black Cloud Enterprise EDR have access to three exclusion types because the Event Reporting and Sensor Operations Exclusion consists of two subtypes that have different product scopes:
- NGAV Reporting and Sensor Operations Exclusions
- All Reporting and Sensor Operations Exclusions
NGAV Reporting and Sensor Operations Exclusions
An NGAV Reporting and Sensor Operations Exclusion only applies to Carbon Black Cloud Endpoint Standard. It does not impact event reporting or sensor operations associated with Carbon Black Cloud Enterprise EDR. By limiting the scope of this exclusion type to Carbon Black Cloud Endpoint Standard, there is potential to resolve an endpoint performance or interoperability issue without impacting Carbon Black Cloud Enterprise EDR. Therefore, you can maintain full visibility into process event activity and the efficacy of relevant Watchlist detections.
All Reporting and Sensor Operations Exclusions
An All Reporting and Sensor Operations Exclusion applies to Carbon Black Cloud Endpoint Standard and Carbon Black Cloud Enterprise EDR. Unlike an NGAV Reporting and Sensor Operations Exclusion, this type of exclusion impacts Carbon Black Cloud Enterprise EDR. For customers who have both Carbon Black Cloud Endpoint Standard and Carbon Black Cloud Enterprise EDR, this is the most severe and comprehensive exclusion type, which suppresses the greatest degree of event reporting and sensor operations.
If you encounter an endpoint performance or interoperability issue that requires an Event Reporting and Sensor Operations Exclusion, Carbon Black recommends that you try to resolve the issue by using an NGAV Reporting and Sensor Operations Exclusion first before implementing the more comprehensive and more severe All Reporting and Sensor Operations Exclusion. An All Reporting and Sensor Operations Exclusion reduces visibility and detections to a greater degree than an NGAV Reporting and Sensor Operations Exclusion.
