Through an addition to the cb.conf file, an Exclusions section can be added to the Create Group or Edit Group panel on the Sensors page. This Exclusions section lets you define paths to executables to customize event collection from those executables to improve performance or eliminate unnecessary data.

For example, you can specify that execution of one set of applications do not collect network connections or non-binary file writes. You can create another exclusion for a different set of applications that collects everything except cross-process events.

For Windows, be careful when adding multiple paths per exclusion. Syntax errors in one path can cause others that follow that path to not be recognized.

macOS Example:

The Xcode application (which is known to generate a lot of events) can be excluded by adding the path /Applications/Xcode.app/Contents/MacOS/Xcode.

Note: For more information about cb.conf, see the Carbon Black EDR Server Configuration Guide.

Add Exclusion Settings to the Sensor Group Panel

Follow this procedure to add Exclusion settings to the Sensor Group panel.

Procedure

  1. On the Carbon Black EDR server, open /etc/cb/cb.conf for editing.
  2. Add the following setting and value to the cb.conf file; consider including a comment to remind you of the purpose of the setting: 
    EventExclusionsEnabled=True
  3. Save the cb.conf file.
  4. You must stop and restart the server or cluster to make the new setting effective:
    • For a standalone server: 
      sudo service cb-enterprise restart
    • For clusters: 
      sudo cbcluster stop

      (...wait for all the nodes to shut down, and then...)

      sudo cbcluster start

Create Exclusions

You can specify exclusions when you create a sensor group, or add them to an existing sensor group. The following procedure assumes that the sensor group already exists.

Prerequisites

Before you can perform this procedure, you must add Exclusion Settings to the Sensor Group panel. See Add Exclusion Settings to the Sensor Group Panel.

Procedure

  1. On the left navigation bar, click Sensors.
  2. In the Groups panel of the Sensors page, click the gear icon (The gear icon) next to the sensor group for which to create exclusions.
  3. Click the Exclusions bar and click the Add Exclusion button.
    The Exclusion configuration fields are exposed.
    The exclusion configuration fields
  4. Enter the path(s) to affect with this exclusion in the textbox in the upper right corner of the panel. Put each path on a new line.
  5. Check the box next to each type of information to not collect for the specified paths. Click Ok .
    The exclusions are saved and displayed in the panel. You can edit or delete any exclusion.
    The exclusion panel with the add exclusion button
  6. When you have finished creating exclusions, click the Save Group button.
    Note:
    • You can use the wildcard * in exclusion paths. The exclusions will apply to all executables under the wildcard path. Be careful when using wildcards: having too many wildcards can affect performance.
    • Child processes inherit the event exclusion settings of the parent process.