Carbon Black Cloud assigns reputations for files to identify their level of trust or distrust.
Type of files | Endpoint Standard configuration | Files execution state |
---|---|---|
|
|
Reputation Types
Reputation | Description |
---|---|
Effective Reputation | Applied by the sensor based on Carbon Black Analytics, cloud intel, and any other data, at the time that the event occurred. |
Cloud Reputation (Initial) | Hash reputation reported by Carbon Black Cloud intel sources at the time that the backend processed the event. |
Cloud Reputation (Current) | Real-time check of the hash reputation that is reported by Carbon Black Cloud intel sources. |
Reputation Priority
An application can have more than one reputation. The number of reputations depends on the number of different sources the sensor uses to cache reputations for the same SHA256 file. For example, you can have one reputation from the Cloud, one from the Local Scanner, and one due to pre-existence.
Priority | Reputation | Reputation search value | Reputation sources | Description |
---|---|---|---|---|
1 | Ignore | IGNORE | IGNORE | It is a self-check reputation that Carbon Black Cloud assigns to product files and grants them with full permissions to run.
Important: Only files signed by Carbon Black are assigned the status of
Ignore. You should direct additional interest to any ignored file that is not signed by Carbon Black.
|
2 | Company Approved List | COMPANY_WHITE_LIST | HASH_REP | Includes specific hashes that override lower-priority reputations. As a console admin, you manually add an application to the Company Approved List reputation by assigning the application through the SHA-256 hash. For details, see Adding to the Approved List. |
3 | Company Banned List | COMPANY_BLACK_LIST | HASH_REP | Specific to a selected organization. The Company Banned List reputation indicates a malicious or unwarranted behavior and includes specific hashes that override lower-priority reputations. The SHA-256 hashes that you add manually to the Company Banned List assign the application to that reputation. For details, see Adding to the Banned List. |
4 | Trusted Approved List | TRUSTED_WHITE_LIST | CLOUD, APPROVED_DATABASE | Carbon Black Analytics and threat intelligence feeds determine the Trusted Approved List reputation. This reputation indicates the hash as a known good file, and it is assigned by either Carbon Black Cloud or the Local Scanner. It is where a file is signed with a Publisher and CA on a list managed by Carbon Black. |
5 | Known Malware | KNOWN_MALWARE | CLOUD, AV | Carbon Black Analytics and threat intelligence feeds determine the Known Malware reputation. This reputation indicates the application as a known malware and it is assigned by either Carbon Black Cloud or the Local Scanner. |
6 | Suspect Malware Heuristic |
SUSPECT_MALWARE HEURISTIC |
CLOUD, AV | Carbon Black Analytics and threat intelligence feeds determine the Suspect Malware reputation. This reputation indicates the application as a suspected malware and it is assigned by either Carbon Black Cloud or the Local Scanner. The analysis cannot determine if the file is good or malware. The reputation can be updated with further analysis or reputation sources. |
7 | Adware/PUP Malware | ADWARE PUP |
CLOUD, AV | Carbon Black Analytics and threat intelligence feeds determine the Adware/PUP Malware reputation. This reputation indicates that the hash/application is set to a PUP (Potential Unwanted Programs status of adware or popups). |
8 | Local White | LOCAL_WHITE | CERT PRE_EXISTING IT_TOOLS |
The Local White reputation is assigned to the following types of files:
The Local White reputation is company-specific and you can assign it in either way:
|
9 | Common Approved List | COMMON_WHITE_LIST | CLOUD, AV | Carbon Black Cloud and Local Scanner assign this reputation in either way:
After analysis, the hash reputation is deemed trusted across all organizations. |
10 | Not Listed/Adaptive Approved List | NOT_LISTED ADAPTIVE_WHITE_LIST |
CLOUD, AV | The Not Listed reputation indicates that after the sensor checks the application hash with Local Scanner or Cloud, no record can be found about it - it is not listed in the reputation database. Carbon Black Cloud assigns the Not Listed reputation to a file when the hash is not previously identified and by the Local Scanner when the file is not a known bad file. This reputation helps protect against zero-day malware and is assigned to new hashes/updated applications. The Adaptive Approved List indicates that after analysis, the hash reputation is deemed inconclusively trustworthy. It is not fully vetted and needs additional information to be fully trusted across all organizations. |
11 | Unknown | RESOLVING | CLOUD, AV | The Unknown reputation indicates that there is no response from any of the reputation sources the sensor uses. Unknown reputation is assigned to all new files, to an application dropped on the device when sensor does not have local scanner feature enabled, and no network connection to the Cloud. The reputation cannot be established from either source. |