Environment
- CB Defense PSC Console: All Versions
- CB Defense Sensor: All Versions
- Microsoft Windows: All Supported Versions
- Apple MacOS: All Supported Versions
Question
How are reputations assigned when for Network Files?
Answer
No Execute
Scan files on network drives | Reputation Assignment Process |
---|
Disabled | Sensor doesn't assign a reputation at all until network file attempts to EXECUTE |
Enabled |
- CB Defense Sensor will scan files residing on network drives upon READ
- It queues a reputation request on file READ, but it will not send the request until the next send window (every five minutes)
- If another file attempts to access the file, the sensor does not generate another reputation request
- The sensor will apply an UNKNOWN reputation until it receives a reputation from the Predictive Security Cloud (PSC)
|
Unknown reputation typically means the sensor cannot reach the CB Defense Backend
Pre-Execute
Scan execute on network drives | Reputation Assignment Process |
---|
Disabled |
- The sensor will calculate the SHA256 hash for all files on network drives upon EXECUTE so that the file can be tracked and recorded
- The sensor queues a reputation request, but request will not be sent until the next send window (every five minutes)
- The sensor will not stall file execution while waiting for the PSC to return a reputation. This means that the sensor will allow the file to EXECUTE based on the reputation obtained by the Local Scanner if enabled.
- Background Scan checks only apply to pre-existing
files, so it would not apply in this case
- LOCAL_WHITE reputation is not assigned to network
files by default. This behavior only applies to pre-existing files.
- Local Scanner is not Supported on MacOS
- If another file attempts to access the file, the sensor does not generate another reputation request
- The sensor will apply an UNKNOWN reputation until it receives a reputation from the PSC
- Once a reputation is returned, policy rules can apply to the network file
|
Enabled |
|
Additional Notes
- Pre-Existing Files: Files that existed on the device prior to the sensor being installed
- New Files: Files that are created or downloaded on the device after the sensor is installed
- Network Files: Files that exist on network drives
- No Execute: Pre-existing files which never executed or new files that were dropped or created on the hard disk but never executed
- Pre-Execute: Pre-execute refers to the first time that a file is attempting to execute
- Post-Execute: Post-execute refers to files which are already running or which have run before
- Definite Reputation: Anything other than NOT_LISTED or UNKNOWN
Related Content