Carbon Black Cloud allows the initial copying or creation of new files to a device. The sensor assigns reputations to the newly created files in an expedited synchronous manner based on their execution state and the settings configured in the current policy of the device.
- Background Scan check does not apply to new files.
- Local Scanner check applies to new files only when the new files are opened with Execute.
- Unknown (
RESOLVING
) reputation means the sensor has not yet reached the Carbon Black Cloud backend. - When the Delay Execute for Cloud Scan option is enabled for an endpoint, the Cloud weighs in on a reputation for execuitng files regardless of the reputation returned by the the Local Scanner.
- The Delay Execute for Cloud Scan option only applies to new files. It does not apply to pre-existing files. If a malware existed on the machine before sensor installation, the Delay Execute for Cloud Scan feature does not prevent the malware from running. This is addressed by the Background Scan.
New file in No Execute state
Immediately after a file creation, the Carbon Black Cloud sensor queues a reputation look up for the next check-in window. This occur every sixty seconds. If the new file does not attempt to execute, the Carbon Black Cloud returns the reputation during the next window and the sensor applies it to the file.
New file in Pre-Execute state
If the new file attempts to execute before the next check-in (occurs every sixty seconds), the Delay execute for cloud scan, the On-Access File Scan Mode, and the Submit unknown binaries for analysis policy settings determine the sensor action.
For details on enabling analysis of unknown binaries, see Cloud Analysis.
Reputation Assignment when Delay Execute for Cloud Scan is Enabled and On-Access File Scan Mode - Disabled
Carbon Black Cloud sensor assigns reputations to new files when the Delay Execute for Cloud Scan option is enabled, and the On-Access File Scan Mode is disabled on the device.
- If Carbon Black Cloud does not match a reputation, the sensor applies the
NOT_LISTED
reputation. - If Carbon Black Cloud does not return a reputation within fifteen seconds, the sensor applies the
RESOLVING
reputation to the new file until Carbon Black Cloud returns a reputation.
Reputation Assignment when Delay Execute for Cloud Scan is Disabled and On-Access File Scan Mode - Enabled
Carbon Black Cloud sensor assigns reputations to new files when the Delay Execute for Cloud Scan option is disabled, and the On-Access File Scan Mode is set to Normal or Aggressive on the device.
The sensor requests a Cloud reputation for the new file hash during the next send window. When the new file attempts to execute, Carbon Black delays the file execution for up to five seconds and performs the local scan. The fifteen seconds execute delay for Cloud scan does not occur due to Delay Execute for Cloud Scan being disabled.
If Carbon Black Cloud returns the NOT_LISTED
reputation, the sensor waits for up to five seconds for the Local Scanner. If the Local Scanner does not return a reputation in five seconds, the sensor assigns the NOT_LISTED
reputation.
Reputation Assignment when Delay Execute for Cloud Scan and On-Access File Scan Mode are Enabled
Carbon Black Cloud sensor assigns reputations to new files when the Delay Execute for Cloud Scan option is enabled, and the On-Access File Scan Mode is set to Normal or Aggressive on the device.
The sensor concurrently requests a reputation from Carbon Black Cloud and the Local Scanner.
- The sensor waits for the reputation returned by the Carbon Black Cloud regradless of the reputation returned by the Local Scanner. Then, the Cloud weighs in on reputations to assign in a hierarchical order. For information on reputation priority, see Reputation Assignment.
- If both requests time out, the sensor applies the
RESOLVING
reputation. - If Carbon Black Cloud returns the
NOT_LISTED
reputation and the Submit Unknown Binaries for Analysis option is enabled, the sensor first checks if the Cloud wants the file uploaded. If yes, the sensor delays the execution of file upload and analysis for up to forty-five seconds total.
Reputation Assignment when Delay Execute for Cloud Scan and On-Access File Scan Mode are Disabled
Carbon Black Cloud sensor assigns reputations to new files when the Delay Execute for Cloud Scan option is disabled and the On-Access File Scan Mode is disabled on the device.
The file is assigned RESOLVING
reputation and queues a Cloud reputation lookup for the next window (every sixty seconds).