App Control: Malicious File Detected for a File that Does Not Exist Anymore
App Control Console: All Supported Versions
Why do I still see "Malicious file detected" events for files that no longer exist in the environment?
The File Catalog maintains a historical inventory of all files, from all Agents, regardless if those have been deleted from the endpoint(s) already. The "Malicious file detected" Events are generated by the Carbon Black Reputation Service when a file in the inventory is matched against the Reputation Service.
This is the red "flag" that appear in the top right hand corner of the console.
Alerts are generated when an Event matching the criteria outlined occurs.
The Reputation Service is constantly updated with new malware feed information, threat research results, and more. It is possible that an existing file in the Reputation Service could change over time from Trusted to Malicious.