Issue
VMware Carbon Black EDR (Response) service stopping.
Environment
VMware Carbon Black EDR (Response)
third party antivirus
Resolution
Recommended folders and processes to exclude from third party antivirus scans:
| Operating System |
Sensor Version |
Path and Process |
| Windows |
7.1.0 and Higher |
- %WINDIR%\CarbonBlack\*
- %WINDIR%\CarbonBlack\cb.exe
- C:\Program Files\CarbonBlack\CbEDRAMSI.dll
- C:\Program Files (x86)\CarbonBlack\CbEDRAMSI.dll
|
| Windows |
7.0.1 and Lower |
- %WINDIR%\CarbonBlack\*
- %WINDIR%\CarbonBlack\cb.exe
|
| macOS/OS X |
6.2.7 and Lower |
- /var/lib/cb/*
- /Applications/CarbonBlack/CbOsxSensorService
- /Applications/CarbonBlack/CbDigitalSignatureHelper
- /System/Library/Extensions/CbOsxSensorNetmon.kext
- /System/Library/Extensions/CbOsxSensorProcmon.kext
|
macOS/OS X
|
6.3.0 and Higher |
- /var/lib/cb/*
- /Applications/VMware Carbon Black EDR.app/Contents/MacOS/CbOsxSensorService
- /Applications/VMware Carbon Black EDR.app/Contents/XPCServices/CbDigitalSignatureHelper.xpc
- /System/Library/Extensions/CbOsxSensorNetmon.kext
- /System/Library/Extensions/CbOsxSensorProcmon.kext
|
| Linux |
6.2.0 and Lower |
- /var/lib/cb/*
- /etc/init.d/cbdaemon
- /etc/rc*/*cbdaemon
- /usr/sbin/cbdaemon
- /etc/sysconfig/modules/cbresponse.modules
|
| Linux |
6.2.1 and Higher |
- /var/opt/carbonblack/response/*
- /etc/init.d/cbdaemon
- /usr/sbin/cbdaemon
- /opt/carbonblack/response/*
- /etc/sysconfig/modules/cbresponse.modules
|
See EDR: Which Sensor directories need exclusion from third party antivirus scans? for additional information.
