Use this procedure to upload a CSV file with a list of hashes, certificates, or IT tools following the instructions in File Format. Carbon Black Cloud Enterprise EDR-only organizations only support the BANNED_LIST and SHA256 values.

Prerequisites

Important: Carbon Black Cloud Enterprise EDR-only organizations only support hash banning. You cannot upload IT tools, Certs, items to the approval list.

Before uploading, ensure your upload file is in the correct file format:

Tip: Precise formatting instructions are provided on the Upload user interface.
  • The file must be saved as a plain ASCII text file in MS-DOS CSV format (not UTF-8 comma separated format).
  • Values (such as the description field) that contain commas might be quoted using the double-quote character.
  • Each line in the file describes a single indicator - the format for each row is described below.

    The required fields must be in the following order: list type, indicator type, indicator value, description, application name:

    • list type: BLACK_LIST or WHITE_LIST
    • indicator type: SHA256
    • indicator value: actual file hash (SHA256 format), 64 characters. Exclude hexadecimal notation (0x prefix).
    • description: text to describe this entry
    • application name: optional
Note:
  • MD5 is not supported. The hash must be in SHA256 format and requires six or more fields. If a field is empty, use the following format where empty fields are denoted by commas: Field1, Field2, Field4, Field6.
  • Adding the hash value more than one time causes the upload to fail.

Procedure

  1. On the left navigation pane, click Enforce > Reputation.
  2. Click Upload.
  3. Navigate to and select the file to upload, and then click Open.
  4. Verify the correct file is listed and then click Upload.

Results

Example: Upload file

/*** SHA256 Hash ***/
WHITE_LIST,SHA256,154899999adfa4f56ade1c04840a517e86dc5c938fac1ba6906c38339a281f82,This hash is known to be harmless,Safari
BLACK_LIST,SHA256,dcab890006eccd887c26a1bd2bcb344e2ce1a80c2e6fc8621ed04489dc1631c8,Unknown untrusted app
BLACK_LIST,SHA256,5348cfde0024b9557e57f099e1f3c3e20f389e7822dda376ad06009e43dd700a,Fake malware for testing,fake

/*** IT Tool ***/
WHITE_LIST,IT_TOOL,/user1/somefolder/sometool,The IT tool is known to be harmless,true
WHITE_LIST,IT_TOOL,/user1/somefolder/sometool,The IT tool is known to be harmless,false

/*** Certificate ***/
WHITE_LIST,CERT,Global,The certificate is known to be harmless,Root certificate authority
WHITE_LIST,CERT,Global,The certificate is known to be harmless,InCommon RSA Server CA