This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
logo

Knowledge Base

Access official resources from Carbon Black experts

Security Connect 2021 is coming Jun 3. Register for free today!

CB Defense: How Are Reputations Assigned for Network Files?

CB Defense: How Are Reputations Assigned for Network Files?

Environment

  • CB Defense PSC Console: All Versions
  • CB Defense Sensor: All Versions
  • Microsoft Windows: All Supported Versions
  • Apple MacOS: All Supported Versions

Question

How are reputations assigned when for Network Files?

Answer

No Execute

Scan files on network drivesReputation Assignment Process
DisabledSensor doesn't assign a reputation at all until network file attempts to EXECUTE
Enabled
  1. CB Defense Sensor will scan files residing on network drives upon READ
  2. It queues a reputation request on file READ, but it will not send the request until the next send window (every five minutes)
  3. If another file attempts to access the file, the sensor does not generate another reputation request
  4. The sensor will apply an UNKNOWN reputation until it receives a reputation from the Predictive Security Cloud (PSC)
Unknown reputation typically means the sensor cannot reach the CB Defense Backend
 

Pre-Execute

Scan execute on network drivesReputation Assignment Process
Disabled
  1. The sensor will calculate the SHA256 hash for all files on network drives upon EXECUTE so that the file can be tracked and recorded
  2. The sensor queues a reputation request, but request will not be sent until the next send window (every five minutes)
  3. The sensor will not stall file execution while waiting for the PSC to return a reputation. This means that the sensor will allow the file to EXECUTE based on the reputation obtained by the Local Scanner if enabled. 
    - Background Scan checks only apply to pre-existing 
	files, so it would not apply in this case
- LOCAL_WHITE reputation is not assigned to network 
	files by default. This behavior only applies to pre-existing files. 
- Local Scanner is not Supported on MacOS
  4. If another file attempts to access the file, the sensor does not generate another reputation request
  5. The sensor will apply an UNKNOWN reputation until it receives a reputation from the PSC
  6. Once a reputation is returned, policy rules can apply to the network file
Enabled

Additional Notes

  • Pre-Existing Files: Files that existed on the device prior to the sensor being installed
  • New Files: Files that are created or downloaded on the device after the sensor is installed
  • Network Files: Files that exist on network drives
  • No Execute: Pre-existing files which never executed or new files that were dropped or created on the hard disk but never executed
  • Pre-Execute: Pre-execute refers to the first time that a file is attempting to execute
  • Post-Execute: Post-execute refers to files which are already running or which have run before
  • Definite Reputation: Anything other than NOT_LISTED or UNKNOWN

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
aglasco
Creation Date:
‎07-31-2018
Views:
1085
Contributors
logo