Environment
- Carbon Black Cloud Console: All supported versions
Objective
How to Troubleshoot Threat Research and Analytics Issues
Resolution
If you believe the reputation returned within the PSC and the CB Defense Web Console is incorrect (false positive), please Open a Support Case
The case will start by requesting:
- Event or Alert ID
- Device ID
- Was a Deny or Terminate Action applied?
- Is this a threat or monitored event?
- Is a malicious behavior being performed?
- Is the hash signed?
- Customer expected reputation
- Screenshot of Carbon Black Cloud Console reputation applied
- Sensor logs for the impacted device
- Collecting Sensor Logs Windows
- Collecting Sensor Logs Mac
If this issue cannot be solved with CB Support troubleshooting steps, it may need escalation to the CB Engineering team. Escalation will require information collected in the steps above:
- Screenshot of Carbon Black Cloud Console reputation applied
- Additional reputation information/screenshots (will be collected from Support Engineer)
- Logs collected from an impacted endpoint
Additional Notes
Carbon Black has multiple methods for ingesting files, and leverages a number of internal and external data sources to generate reputation. While a single source of information may be valuable, it does not always mean all sources will see the same file as malicious.
Related Content
