Carbon Black Cloud allows the initial copying or creation of new files to a device. The sensor assigns reputations to the newly created files in an expedited synchronous manner based on their execution state and the settings configured in the current policy of the device.

The following are key considerations when the Carbon Black Cloud sensor assigns reputations to new files:
  • Background Scan check does not apply to new files.
  • Local Scanner check applies to new files only when the new files are opened with Execute.
  • Unknown (RESOLVING) reputation means the sensor has not yet reached the Carbon Black Cloud backend.
  • When the Delay Execute for Cloud Scan option is enabled for an endpoint, the Cloud weighs in on a reputation for execuitng files regardless of the reputation returned by the the Local Scanner.
  • The Delay Execute for Cloud Scan option only applies to new files. It does not apply to pre-existing files. If a malware existed on the machine before sensor installation, the Delay Execute for Cloud Scan feature does not prevent the malware from running. This is addressed by the Background Scan.

Reputation assignment for new files diagram

New file in No Execute state

Immediately after a file creation, the Carbon Black Cloud sensor queues a reputation look up for the next check-in window. This occur every sixty seconds. If the new file does not attempt to execute, the Carbon Black Cloud returns the reputation during the next window and the sensor applies it to the file.

New file in Pre-Execute state

If the new file attempts to execute before the next check-in (occurs every sixty seconds), the Delay execute for cloud scan, the On-Access File Scan Mode, and the Submit unknown binaries for analysis policy settings determine the sensor action.

For details on enabling analysis of unknown binaries, see Cloud Analysis.

Note: The above settings are specific to Carbon Black Cloud Endpoint Standard.

Reputation Assignment when Delay Execute for Cloud Scan is Enabled and On-Access File Scan Mode - Disabled

Carbon Black Cloud sensor assigns reputations to new files when the Delay Execute for Cloud Scan option is enabled, and the On-Access File Scan Mode is disabled on the device.

  • If Carbon Black Cloud does not match a reputation, the sensor applies the NOT_LISTED reputation.
  • If Carbon Black Cloud does not return a reputation within fifteen seconds, the sensor applies the RESOLVING reputation to the new file until Carbon Black Cloud returns a reputation.

Reputation Assignment when Delay Execute for Cloud Scan is Disabled and On-Access File Scan Mode - Enabled

Carbon Black Cloud sensor assigns reputations to new files when the Delay Execute for Cloud Scan option is disabled, and the On-Access File Scan Mode is set to Normal or Aggressive on the device.

The sensor requests a Cloud reputation for the new file hash during the next send window. When the new file attempts to execute, Carbon Black delays the file execution for up to five seconds and performs the local scan. The fifteen seconds execute delay for Cloud scan does not occur due to Delay Execute for Cloud Scan being disabled.

If Carbon Black Cloud returns the NOT_LISTED reputation, the sensor waits for up to five seconds for the Local Scanner. If the Local Scanner does not return a reputation in five seconds, the sensor assigns the NOT_LISTED reputation.

Reputation Assignment when Delay Execute for Cloud Scan and On-Access File Scan Mode are Enabled

The Carbon Black Cloud sensor assigns reputations to new files when the Delay Execute for Cloud Scan option is enabled and the On-Access File Scan Mode is set to either Normal or Aggressive on the device.

The sensor concurrently requests a reputation from Carbon Black Cloud and the Local Scanner.

  • The sensor waits for the reputation returned by the Carbon Black Cloud regradless of the reputation returned by the Local Scanner. The Cloud weighs in on reputations to assign in a hierarchical order. For information on reputation priority, see Reputation Assignment.
  • If both requests time out, the sensor applies the RESOLVING reputation.
  • If Carbon Black Cloud returns the NOT_LISTED reputation and the Submit Unknown Binaries for Analysis option is enabled, the sensor first checks whether to upload the file. If yes, the sensor delays the execution of file upload and analysis for up to forty-five seconds.

Reputation Assignment when Delay Execute for Cloud Scan and On-Access File Scan Mode are Disabled

Carbon Black Cloud sensor assigns reputations to new files when the Delay Execute for Cloud Scan option is disabled and the On-Access File Scan Mode is disabled on the device.

The file is assigned RESOLVING reputation and queues a Cloud reputation lookup for the next window (every sixty seconds).