A key feature of the Carbon Black App Control Connector is the correlation of security notifications received from external sources with the real-time file data available for agent-managed computers.

In addition to the normal filtering and table column choices available for all Carbon Black App ControlConsole tables, the External Notifications page includes a menu that allows you to choose which files you would like correlated with notification data.

The Correlate with Carbon Black App Control panel includes the following choices:

  • New and Modified Files – This choice correlates Carbon Black App Control information with all files reported in the notification, including the top-level malware and any files it writes or modifies.
  • Only Untrusted Files – This choice correlates Carbon Black App Control information only for files in the notification for which the trust level reported by Carbon Black File Reputation is 5 or less.
  • Only Top Level Files – This choice correlated Carbon Black App Control information only for top-level files reported in the notification, not files written or modified by these files.
  • Include Deleted Files – This is a checkbox that is applied to any of the menu choices. If checked, files deleted from endpoints are included in those correlated with notification data. This can be a good choice when you want to be sure to track malware that deletes itself after execution, which is very often the case.
Note: You also can change the Correlate with Carbon Black App Control choice on the Known Files and Files on Computer tab in an External Notification Details page. A change in any of these locations affects all notification tables.

MD5 hashes included in external notifications are used to correlate with files in the Carbon Black App ControlServer inventory. If a notification does not include an MD5 hash but does provide a SHA-256 hash, the SHA-256 hash is used for correlation.

In a small number of cases, Carbon Black App Control creates a "fuzzy" hash in its file inventory for files that change their hash every time they are installed because they include date, location, or other context-specific information. These hashes are identified as "SHA-256 (Normalized)", and they may not be able to correlate with SHA-256 hashes reported in external notifications. This is relevant only if there is no MD5 hash in the notification and the file identified in the notification required a fuzzy SHA-256 hash in the Carbon Black App Control Server’s file inventory.

For both the malware file and its parent process, file correlation begins immediately upon receipt of the notification by the Carbon Black App Control Server and continues as a background task for as long as is necessary to process the notification and synchronize with Carbon Black App Control file inventory processing. This is repeated for all unknown files until they are successfully correlated or until the notification is considered obsolete, normally 24 hours. This time period allows for correlation of a large number of new files whose notifications may arrive at the Carbon Black App Control Server before the server has processed the file into the Files on Computers inventory.

When files are successfully correlated, a Malicious file detected or Potential risk file detected event is generated containing the hashes of both the malware file and its parent process. If there are multiple files in the notification, the event is generated only for the top-level file. In the notification table and details, these hashes are links to the File Details pages for the respective files.

Note: When a file keeps the same name but it is modified and so its hash changes, correlation can be attempted with the new hash, but if the new hash does not appear in a notification, the correlation will fail.