If there are suspicious or critical (malicious) files running in your container images, you can override their Cloud reputation by adding them either to the company approved list or to the company banned list of reputations.

Note: The malware badge displays only when the Carbon Black Cloud considers the image file to be partially or fully malicious.

You can also use the Enforce > Reputation page to remove or add a suspicious file's hash to the list of company approved or company banned reputations.

MD5 is not supported. The hash must be in SHA-256 format.

Procedure

  1. On the left navigation pane, do one of the following depending on your system configuration and role:
    • If you have the Kubernetes Security DevOps or SecOps role and your system has only the Container security feature, click Inventory > Container Images.
    • If you have any other role and your system has Container security and other Carbon Black Cloud features, click Inventory > Kubernetes > Container Images.
  2. Click the Deployed Images tab.
  3. Locate a container image and click its link under the Image Tag column.
  4. On the Container Image page, click the Suspicious files tab.
    Only the suspicious or malicious files within the deployed container image display.
  5. Double-click a file of interest.
    If the file has a suspicious or critical reputation, you can add it to the list of company approved or banned hashes.
    Note: When the file runs within a container image and an endpoint, when you override the file reputation, it applies to the endpoint as well.
    1. From the Action drop-down menu, select either Add Hash to approved list or Add Hash to banned list.
    2. Optional: Enter a comment.
    3. Click Add.
      It takes up to ten minutes for the feed to update.
    If the file is already assigned with the Company Approved or the Company Banned reputation, you have the option to remove it from that list.
    1. From the Action dropdown menu, select Remove hash from list.
    2. Optional: Enter a comment.
    3. Click Remove.
    For more information about the suspicious file using its hash, use the VirusTotal service.
    1. In the File Details panel, select Find in VirusTotal from the Action dropdown menu.
      You are redirected to the web site of the service.
    2. Observe the basic results and use them to improve your system.