Carbon Black Cloud assigns reputations for files to identify their level of trust or distrust.

Assigning reputations for files depends on the reputation priority, the type of the files, the Endpoint Standard configuration, and how far the files are in their execution.
Type of files Endpoint Standard configuration Files execution state
  • Pre-Existing Files - Files that exist on the device prior sensor installation.
  • New Files - Files that are created or downloaded on the device after sensor installation.
  • Network Files - Files that exist on network drives.
  • Not Executed:
    • Pre-existing files that were never executed.
    • New files that are dropped or created on the hard disk but never executed.
  • Pre-Executed - Files that attempt to execute for the first time.
  • Post-Executed - Files that are already running or have run before.

Reputation Types

Table 1.
Reputation Description
Effective Reputation Applied by the sensor based on Carbon Black Analytics, cloud intel, and any other data, at the time that the event occurred.
Cloud Reputation (Initial) Hash reputation reported by Carbon Black Cloud intel sources at the time that the backend processed the event.
Cloud Reputation (Current) Real-time check of the hash reputation that is reported by Carbon Black Cloud intel sources.

Reputation Priority

An application can have more than one reputation. The number of reputations depends on the number of different sources the sensor uses to cache reputations for the same SHA256 file. For example, you can have one reputation from the Cloud, one from the Local Scanner, and one due to pre-existence.

The table lists the order in which the Carbon Black Cloud uses reputations if there are more than one reputation per application. The reputation priority is in a descending order with 1 being the highest priority and 11 the lowest priority.
Important: Carbon Black Cloud is replacing the terms blacklist and whitelist with banned list and approved list. Notice will be provided in advance of terminology updates to APIs, TTPs, and Reputations.
Priority Reputation Reputation search value Reputation sources Description
1 Ignore IGNORE IGNORE It is a self-check reputation that Carbon Black Cloud assigns to product files and grants them with full permissions to run.
Important: Only files signed by Carbon Black are assigned the status of Ignore. You should direct additional interest to any ignored file that is not signed by Carbon Black.
2 Company Approved List COMPANY_WHITE_LIST HASH_REP Includes specific hashes that override lower-priority reputations. As a console admin, you manually add an application to the Company Approved List reputation by assigning the application through the SHA-256 hash. For details, see Adding to the Approved List.
3 Company Banned List COMPANY_BLACK_LIST HASH_REP Specific to a selected organization. The Company Banned List reputation indicates a malicious or unwarranted behavior and includes specific hashes that override lower-priority reputations. The SHA-256 hashes that you add manually to the Company Banned List assign the application to that reputation. For details, see Adding to the Banned List.
4 Trusted Approved List TRUSTED_WHITE_LIST CLOUD, APPROVED_DATABASE Carbon Black Analytics and threat intelligence feeds determine the Trusted Approved List reputation. This reputation indicates the hash as a known good file, and it is assigned by either Carbon Black Cloud or the Local Scanner. It is where a file is signed with a Publisher and CA on a list managed by Carbon Black.
5 Known Malware KNOWN_MALWARE CLOUD, AV Carbon Black Analytics and threat intelligence feeds determine the Known Malware reputation. This reputation indicates the application as a known malware and it is assigned by either Carbon Black Cloud or the Local Scanner.
6 Suspect Malware

Heuristic

SUSPECT_MALWARE

HEURISTIC

CLOUD, AV Carbon Black Analytics and threat intelligence feeds determine the Suspect Malware reputation. This reputation indicates the application as a suspected malware and it is assigned by either Carbon Black Cloud or the Local Scanner. The analysis cannot determine if the file is good or malware. The reputation can be updated with further analysis or reputation sources.
7 Adware/PUP Malware ADWARE

PUP

CLOUD, AV Carbon Black Analytics and threat intelligence feeds determine the Adware/PUP Malware reputation. This reputation indicates that the hash/application is set to a PUP (Potential Unwanted Programs status of adware or popups).
8 Local White LOCAL_WHITE

CERT

PRE_EXISTING

IT_TOOLS

The Local White reputation is assigned to the following types of files:
  • CERT - Applications signed through certificates defined in the Certs capability. For more information, see Add Certs to Approved List.
  • PRE-EXISTING - All files (existing prior sensor installation) at install until the Carbon Black Cloud scan returns a definite reputation, or Background scan is enabled and the local database has a known reputation for it.
  • IT TOOLS - Files written by applications defined in the IT Tools capability. For more information, see Add Trusted IT Tools to Approved List.
The Local White reputation is company-specific and you can assign it in either way:
  • By adding the file path of an application.
  • By adding the certificate signature information of an application.
9 Common Approved List COMMON_WHITE_LIST CLOUD, AV Carbon Black Cloud and Local Scanner assign this reputation in either way:
  • The file is signed and does not appear on any known good or known bad lists.
  • The hash is previously analyzed, but it is not on any known good or known bad lists.

After analysis, the hash reputation is deemed trusted across all organizations.

10 Not Listed/Adaptive Approved List NOT_LISTED

ADAPTIVE_WHITE_LIST

CLOUD, AV The Not Listed reputation indicates that after the sensor checks the application hash with Local Scanner or Cloud, no record can be found about it - it is not listed in the reputation database. Carbon Black Cloud assigns the Not Listed reputation to a file when the hash is not previously identified and by the Local Scanner when the file is not a known bad file. This reputation helps protect against zero-day malware and is assigned to new hashes/updated applications.

The Adaptive Approved List indicates that after analysis, the hash reputation is deemed inconclusively trustworthy. It is not fully vetted and needs additional information to be fully trusted across all organizations.

11 Unknown RESOLVING CLOUD, AV The Unknown reputation indicates that there is no response from any of the reputation sources the sensor uses. Unknown reputation is assigned to all new files, to an application dropped on the device when sensor does not have local scanner feature enabled, and no network connection to the Cloud. The reputation cannot be established from either source.
The reputation source CLOUD stands for Cloud Database and AV- for Local Scanner.