Carbon Black Cloud assigns reputations to pre-existing files depending on the Background Scan and the On-Access File Scan Mode policy settings of the device.
LOCAL_WHITE
reputation to files that exist on the device prior to sensor installation. When the
Run background scan option is enabled or the
On-Access File Scan Mode is set to
Normal, or
Aggressive on the device, the sensor assigns a definite reputation.
Following are key considerations when the Carbon Black Cloud sensor assigns reputations to pre-existing files.
- Unknown (
RESOLVING
) reputation means the sensor has not yet reached the Carbon Black Cloud backend. - Definite reputation refers to any Carbon Black Cloud reputation except the
NOT_LISTED
andRESOLVING
reputations. - Linux is not supported.
- Local Scanner settings are only supported by Windows sensor versions 2.0.1 and later.
Reputation Assignment when Run background scan and On-Access File Scan Mode are Enabled
Carbon Black Cloud assigns reputations to pre-existing files when Run background scan option is enabled and On-Access File Scan Mode option is set to Aggressive.
When the Background Scan is enabled on the device, the existing file is assigned a reputation during the Background Scan.
When the On-Access File Scan Mode option is set to Aggressive, on file execute the Local Scanner scans the pre-existing file.
- If the Carbon Black Cloud returns a definite reputation with higher priority than the existing one, the sensor upgrades the reputation.
- If the Local Scanner returns a definite reputation with a higher priority than the reputation returned by the Cloud, the sensor assigns the reputation.
Reputation Assignment when Run background scan is Disabled and On-Access File Scan Mode - Enabled
Carbon Black Cloud assigns reputations to pre-existing files when Run background scan option is disabled and On-Access File Scan Mode option is set to Aggressive.
Since the Background Scan is disabled, the existing file does not have an assigned reputation. Therefore, by default, the Carbon Black Cloud sensor assigns the LOCAL_WHITE
reputation with an initial trust so that the existing file is allowed to run upon execute.
On file execute, the Local Scanner scans the pre-existing file. The sensor upgrades the default reputation by applying the definite reputation with the highest priority returned by the Local Scanner. A definite reputation refers to any other reputation except for the NOT_LISTED
and RESOLVING
ones.
Reputation Assignment when Run background scan and On-Access File Scan Mode are Disabled
Carbon Black Cloud assigns reputations to pre-existing files when Run background scan option is disabled and On-Access File Scan Mode option is set to Disabled or Normal.
Since the Background Scan is disabled, the existing file does not have an assigned reputation. Therefore, by default, the Carbon Black Cloud sensor assigns the LOCAL_WHITE
reputation with an initial trust so that the existing file is allowed to run upon execute. Post-execution, the sensor queues a Cloud reputation lookup for the next check-in window (every sixty seconds).
Reputation Assignment when Run background scan is Enabled and On-Access File Scan Mode - Disabled
Carbon Black Cloud assigns reputations to pre-existing files when Run background scan option is enabled and On-Access File Scan Mode option is set to Disabled or Normal.
The existing file is assigned a reputation during the Background Scan. The Carbon Black Cloud sensor uses that existing reputation and queues a Cloud reputation lookup for the next check-in window (every sixty seconds).