You can use the reputation of an application to identify malware.
Look for applications with the KNOWN_MALWARE, SUSPECT_MALWARE, or PUP reputations.
All historical malware data from the past six months displays on the Malware Removal page under the Detected or Deleted tabs. When an item is added to the company approved list, company banned list, or its reputation is overridden, the item will be removed from the Malware Removal page.
Detected malware
Malware can exist on an endpoint even if the malware is prevented from running. This tab displays all files scanned and classified as KNOWN_MALWARE. Search for specific malware by hash or filename using the Search box.
If you are unable to find the hash on this page, you can delete the file by searching for the hash on the Investigate page and clicking the Take Action button on the appropriate event.
Auto-delete known malware
Enable a policy to automatically delete known malware within a specified time frame.
To auto-delete known malware:
- On the left navigation pane, click Enforce > Policies.
- Select a policy. On the Sensor tab, click the box for Auto-delete known malware hashes after.
- Select a time frame, then click Save.
After the policy setting is enabled, all new, executable malware is deleted at the end of the selected time frame. Auto-delete does not delete files that are signed by Microsoft, Carbon Black files, or files that have had their hashes changed.
Deleted malware
After malware is deleted, it is removed from the Detected tab and moved to the Deleted tab. If you attempt to delete a file that has any reputation other than KNOWN_MALWARE, you must confirm the deletion twice. All deleted malware files are permanent and cannot be restored.
Use the audit log to see deleted malware, malware scheduled for deletion, and admin actions. Search the Audit Log for the hash you requested deletion of to see other events associated with the hash.
