Issue
How to set up Exclusions when using VMware Carbon Black EDR for macOS endpoints?
Environment
VMware Carbon Black EDR (Response)
macOS
Resolution
Submit a request for Red Canary support to have the cb.conf file of the hosted EDR server updated to allow Exclusions. From there, a user with appropriate access can set up the exclusion via the Sensor Group from within the console.
NOTE:
- There is not currently a way to create exclusions for files for other security products in Cb Response for the Windows sensor.
- Process exclusions are only possible on Mac OS sensors 6.1.1 and higher.
See https://docs.vmware.com/en/VMware-Carbon-Black-EDR/7.8.0/vmw-cb-edr-ug/GUID-3B294CB3-085E-430F-B3F3-DF1F08D11209.html
From the User Guide for 7.3:
Through an addition to the cb.conf file, an Exclusions section can be added to the Create Group or Edit Group panel on the Sensors page. This Exclusions section lets you define paths on OS X/macOS systems and customize event collection at those paths to improve performance or eliminate unnecessary data. For example, you can specify that actions coming from one group of paths do not collect network connections or non-binary file writes. You can create another exclusion for a different set of paths that collects everything except cross-process events.
Find instructions on how to do this in the EDR 7.3 User Guide at https://community.carbonblack.com/t5/Documentation-Downloads/VMware-Carbon-Black-EDR-7-3-User-Guide/ta-p/95210
Creating Exclusions
You can specify exclusions when you create a sensor group, or add them to an existing sensor group. The following procedure assumes that the group already exists.
To create an OS X/macOS event collection exclusion for a sensor group:
1. On the navigation bar, click Sensors.
2. In the Groups panel of the Sensors page, click the gear icon next to the sensor group for which to create exclusions.
3. Click the Exclusions bar and click the Add Exclusion button. The Exclusion configuration fields are exposed.
4. Enter the path(s) to affect with this exclusion in the textbox in the upper right corner of the panel. Put each path on a new line. You must use complete paths without wildcards.
5. Check the box next to each type of information to not collect for the specified paths. Click Ok.
The exclusions are saved and displayed in the panel. You can edit or delete any exclusion.
6. When you have finished creating exclusions, click the Save Group button.
Comments
0 comments
Please sign in to leave a comment.