Environment
- App Control Console: All Supported Versions
Question
Why do I still see "Malicious file detected" events for files that no longer exist in the environment?
Answer
The File Catalog maintains a historical inventory of all files, from all Agents, regardless if those have been deleted from the endpoint(s) already. The "Malicious file detected" Events are generated by the Carbon Black Reputation Service when a file in the inventory is matched against the Reputation Service.
There are two different aspects to these notices:
- Events (Reports > Events > Malicious File Detected)
- Located in Reports > Events with subtype: "Malicious File Detected"
- Events occur regardless of the current file prevalence in the environment. This is to make it known that a file that is now considered Malicious, has been in the environment historically.
- Alerts (Tools > Alerts > Malicious File Detected):
- This is the red "flag" that appear in the top right hand corner of the console.
- Alerts are generated when an Event matching the criteria outlined occurs.
Additional Notes
- The Reputation Service is constantly updated with new malware feed information, threat research results, and more. It is possible that an existing file in the Reputation Service could change over time from Trusted to Malicious.
- If desired, Zero Prevalence Pruning could be enabled to prevent future occurrences of this Event.
- Additionally, a filter on the Alert (Tools > Alerts > Malicious File Detected) on the Prevalence could be added to prevent the Alert being generated when Prevalence is below a desired threshold.
Related Content