diff --git a/chart/templates/gatekeeper/values.yaml b/chart/templates/gatekeeper/values.yaml
index 2ef0bf224ec6f0dd01189279614c6e9a38782c3a..2c00f27118e5719a084944be503fc4243df8dcbb 100644
--- a/chart/templates/gatekeeper/values.yaml
+++ b/chart/templates/gatekeeper/values.yaml
@@ -56,6 +56,7 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
       - logging/logging-fluent-bit-.*
       {{- end }}
       {{- if .Values.neuvector.enabled }}
+      # Neuvector needs access to host to inspect network traffic
       - neuvector/neuvector-enforcer-pod.*
       - neuvector/neuvector-controller-pod.*
       {{- end }}
@@ -73,13 +74,6 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
       {{- end }}
   {{- end }}
 
-  {{- if .Values.neuvector.enabled }}
-  bannedImageTags:
-    parameters:
-      excludedResources:
-        - neuvector/neuvector-scanner-pod.*
-  {{- end }}
-
   {{- if .Values.twistlock.enabled }}
   hostNetworking:
     parameters:
@@ -99,6 +93,7 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
         - twistlock/twistlock-defender-ds-.*
         {{- end }}
         {{- if .Values.neuvector.enabled }}
+        # Neuvector needs access to host to inspect network traffic
         - neuvector/neuvector-enforcer-pod.*
         {{- end }}
   {{- end }}
@@ -116,6 +111,7 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
         # Fluentbit needs privileged to read and store the buffer for tailing logs from the nodes
         - logging/fluent-bit
         {{- if .Values.neuvector.enabled }}
+        # Neuvector needs privileged access for realtime scanning of files from the node / access to the container runtime
         - neuvector/neuvector-enforcer-pod.*
         - neuvector/neuvector-controller-pod.*
         {{- end }}
@@ -185,7 +181,12 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
         - logging/logging-promtail-.*
        {{- end }}
        {{- if .Values.neuvector.enabled }}
-        # Neuvecotr requires hostpath volume types
+        # Neuvector requires hostpath volume types
+          # Neuvector mounts the following hostPaths:
+          # `/var/neuvector`: (as writable) for Neuvector's buffering and persistent state
+          # `/var/run`: communication to docker daemon
+          # `/proc`: monitoring of proccesses for malicious activity
+          # `/sys/fs/cgroup`: important files the controller wants to monitor for malicious content
         # https://github.com/neuvector/neuvector-helm/blob/master/charts/core/templates/enforcer-daemonset.yaml#L108
         - neuvector/neuvector-enforcer-pod.*
         - neuvector/neuvector-controller-pod.*
diff --git a/chart/templates/kyverno/policies/values.yaml b/chart/templates/kyverno/policies/values.yaml
index a3c1c75dd1026373c08e2b3ceb0630859a46fa6a..aef3824b4578fd93aa1caba81a61063ce9f54b73 100644
--- a/chart/templates/kyverno/policies/values.yaml
+++ b/chart/templates/kyverno/policies/values.yaml
@@ -30,6 +30,7 @@ policies:
           - twistlock-defender-ds*
       {{- end }}
       {{- if .Values.neuvector.enabled }}
+      # Neuvector needs access to host to inspect network traffic
       - resources:
           namespaces:
           - neuvector
@@ -71,15 +72,6 @@ policies:
   disallow-image-tags:
     enabled: true
     validationFailureAction: enforce
-    {{- if .Values.neuvector.enabled }}
-    exclude:
-      any:
-      - resources:
-          namespaces:
-          - neuvector
-          names:
-          - neuvector-scanner-pod*
-    {{- end }}
 
   disallow-istio-injection-bypass:
     enabled: {{ .Values.istio.enabled }}
@@ -112,6 +104,7 @@ policies:
           - logging-fluent-bit*
       {{- end }}
       {{- if .Values.neuvector.enabled }}
+      # Neuvector needs privileged access for realtime scanning of files from the node / access to the container runtime
       - resources:
           namespaces:
           - neuvector
@@ -493,6 +486,11 @@ policies:
           - twistlock-defender-ds*
       {{- end }}
       {{- if .Values.neuvector.enabled }}
+      # Neuvector mounts the following hostPaths:
+      # `/var/neuvector`: for Neuvector's buffering and persistent state
+      # `/var/run`: communication to docker daemon
+      # `/proc`: monitoring of proccesses for malicious activity
+      # `/sys/fs/cgroup`: important files the controller wants to monitor for malicious content
       - resources:
           namespaces:
           - neuvector
@@ -540,6 +538,8 @@ policies:
           - twistlock-defender-ds*
       {{- end }}
       {{- if .Values.neuvector.enabled }}
+      # Neuvector mounts the following hostPaths as writeable: 
+      # `/var/neuvector`: for Neuvector's buffering and persistent state
       - resources:
           namespaces:
           - neuvector
@@ -657,6 +657,11 @@ policies:
       {{- end }}
       {{- if .Values.neuvector.enabled }}
       # Neuvector requires HostPath volume types
+        # Neuvector mounts the following hostPaths:
+        # `/var/neuvector`: (as writable) for Neuvector's buffering and persistent state
+        # `/var/run`: communication to docker daemon
+        # `/proc`: monitoring of proccesses for malicious activity
+        # `/sys/fs/cgroup`: important files the controller wants to monitor for malicious content
       # https://github.com/neuvector/neuvector-helm/blob/master/charts/core/templates/enforcer-daemonset.yaml#L108
       - resources:
           namespaces:
diff --git a/chart/values.yaml b/chart/values.yaml
index 77dfb10e2a532c7666a4009eaeec154a29259dd1..446fd55ab43f1dca6738f37032676b6f72698b91 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -574,7 +574,7 @@ neuvector:
   git:
     repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/neuvector.git
     path: "./chart"
-    tag: "2.4.0-bb.0"
+    tag: "2.4.0-bb.1"
 
   # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
   ingress: