Reputation Assignment

Carbon Black Cloud assigns reputations for files to identify their level of trust or distrust.

Assigning reputations for files depends on the reputation priority, the type of the files, the Endpoint Standard configuration, and how far the files are in their execution.

Type of files	Endpoint Standard configuration	Files execution state
Pre-Existing Files - Files that exist on the device prior sensor installation. New Files - Files that are created or downloaded on the device after sensor installation. Network Files - Files that exist on network drives.	Background Scans Local Scanner Configuration Delay Execute for Cloud Scan Scan Files on Network Drives Scan Execute on Network Drives	Not Executed: Pre-existing files that were never executed. New files that are dropped or created on the hard disk but never executed. Pre-Executed - Files that attempt to execute for the first time. Post-Executed - Files that are already running or have run before.

Reputation Types

Table 1.
Reputation	Description
Effective Reputation	Applied by the sensor based on Carbon Black Analytics, cloud intel, and any other data, at the time that the event occurred.
Cloud Reputation (Initial)	Hash reputation reported by Carbon Black Cloud intel sources at the time that the backend processed the event.
Cloud Reputation (Current)	Real-time check of the hash reputation that is reported by Carbon Black Cloud intel sources.

Reputation Priority

An application can have more than one reputation. The number of reputations depends on the number of different sources the sensor uses to cache reputations for the same SHA256 file. For example, you can have one reputation from the Cloud, one from the Local Scanner, and one due to pre-existence.

The table lists the order in which the Carbon Black Cloud uses reputations if there are more than one reputation per application. The reputation priority is in a descending order with 1 being the highest priority and 11 the lowest priority.

Important: Carbon Black Cloud is replacing the terms blacklist and whitelist with banned list and approved list. Notice will be provided in advance of terminology updates to APIs, TTPs, and Reputations.

Priority	Reputation	Reputation search value	Reputation sources	Description
1	Ignore	IGNORE	IGNORE	It is a self-check reputation that Carbon Black Cloud assigns to product files and grants them with full permissions to run. Important: Only files signed by Carbon Black are assigned the status of Ignore. You should direct additional interest to any ignored file that is not signed by Carbon Black.
2	Company Approved List	COMPANY_WHITE_LIST	HASH_REP	Includes specific hashes that override lower-priority reputations. As a console admin, you manually add an application to the Company Approved List reputation by assigning the application through the SHA-256 hash. For details, see Adding to the Approved List.
3	Company Banned List	COMPANY_BLACK_LIST	HASH_REP	Specific to a selected organization. The Company Banned List reputation indicates a malicious or unwarranted behavior and includes specific hashes that override lower-priority reputations. The SHA-256 hashes that you add manually to the Company Banned List assign the application to that reputation. For details, see Adding to the Banned List.
4	Trusted Approved List	TRUSTED_WHITE_LIST	CLOUD, APPROVED_DATABASE	Carbon Black Analytics and threat intelligence feeds determine the Trusted Approved List reputation. This reputation indicates the hash as a known good file, and it is assigned by either Carbon Black Cloud or the Local Scanner. It is where a file is signed with a Publisher and CA on a list managed by Carbon Black.
5	Known Malware	KNOWN_MALWARE	CLOUD, AV	Carbon Black Analytics and threat intelligence feeds determine the Known Malware reputation. This reputation indicates the application as a known malware and it is assigned by either Carbon Black Cloud or the Local Scanner.
6	Suspect Malware Heuristic	SUSPECT_MALWARE HEURISTIC	CLOUD, AV	Carbon Black Analytics and threat intelligence feeds determine the Suspect Malware reputation. This reputation indicates the application as a suspected malware and it is assigned by either Carbon Black Cloud or the Local Scanner. The analysis cannot determine if the file is good or malware. The reputation can be updated with further analysis or reputation sources.
7	Adware/PUP Malware	ADWARE PUP	CLOUD, AV	Carbon Black Analytics and threat intelligence feeds determine the Adware/PUP Malware reputation. This reputation indicates that the hash/application is set to a PUP (Potential Unwanted Programs status of adware or popups).
8	Local White	LOCAL_WHITE	CERT PRE_EXISTING IT_TOOLS	The Local White reputation is assigned to the following types of files: CERT - Applications signed through certificates defined in the Certs capability. For more information, see Add Certs to Approved List. PRE-EXISTING - All files (existing prior sensor installation) at install until the Carbon Black Cloud scan returns a definite reputation, or Background scan is enabled and the local database has a known reputation for it. IT TOOLS - Files written by applications defined in the IT Tools capability. For more information, see Add Trusted IT Tools to Approved List. The Local White reputation is company-specific and you can assign it in either way: By adding the file path of an application. By adding the certificate signature information of an application.
9	Common Approved List	COMMON_WHITE_LIST	CLOUD, AV	Carbon Black Cloud and Local Scanner assign this reputation in either way: The file is signed and does not appear on any known good or known bad lists. The hash is previously analyzed, but it is not on any known good or known bad lists. After analysis, the hash reputation is deemed trusted across all organizations.
10	Not Listed/Adaptive Approved List	NOT_LISTED ADAPTIVE_WHITE_LIST	CLOUD, AV	The Not Listed reputation indicates that after the sensor checks the application hash with Local Scanner or Cloud, no record can be found about it - it is not listed in the reputation database. Carbon Black Cloud assigns the Not Listed reputation to a file when the hash is not previously identified and by the Local Scanner when the file is not a known bad file. This reputation helps protect against zero-day malware and is assigned to new hashes/updated applications. The Adaptive Approved List indicates that after analysis, the hash reputation is deemed inconclusively trustworthy. It is not fully vetted and needs additional information to be fully trusted across all organizations.
11	Unknown	RESOLVING	CLOUD, AV	The Unknown reputation indicates that there is no response from any of the reputation sources the sensor uses. Unknown reputation is assigned to all new files, to an application dropped on the device when sensor does not have local scanner feature enabled, and no network connection to the Cloud. The reputation cannot be established from either source.

The reputation source CLOUD stands for Cloud Database and AV- for Local Scanner.