Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Application Reputation Not Updated For Local Scanner False Positives

Carbon Black Cloud: Application Reputation Not Updated For Local Scanner False Positives

Environment

  • Carbon Black Cloud Console: All Versions
  • Endpoint Standard Sensor: 3.2.x - 3.5.x
  • Microsoft Windows: All Supported Versions
  • Local Scanner Enabled in Policy

Symptoms

  • Known-good application receives malware reputation via Local Scanner
    Reputation (applied, AV scan)
  • Application submitted to Carbon Black as a potential false positive 
  • Reputation corrected in Predictive Security Cloud (PSC)
  • Known-good application continues to receive malware reputation via Local Scanner as noted above

Cause

  • Initial reputation from Local/AV Scan added to reputation database (local to machine)
  • Reputation downgraded in PSC to Adaptive White, Common White, Not Listed, or Unknown
  • Initial reputation Known Malware, Suspect Malware, PUP/PUA remains in effect due to higher priority

Resolution

Upgrade the affected sensor to 3.6.0.1719 or later

Additional Notes

Although upgrading to 3.6.0 is strongly suggested, following are workarounds for versions prior to 3.6.0: For 3.5.x and higher sensors:
  • Use an authenticated RepCli user, try the following force the scanner to rescan the file:
repcli localScanner scan "Path\filename.exe"
  • Or try the delay command to force a recheck at next execution time with the commands below:
  • repcli hash %sha256% delay av
    
    repcli hash %sha256% delay cloud
    Where %sha256% is the actual SHA256 hash value of the file
 
  • To validate the file's reputation locally, run:
repcli find -rep %sha256%

repcli find -rep binaryname.exe

Related Content


Was this article helpful? Yes No
50% helpful (1/2)
Article Information
Author:
Creation Date:
‎03-06-2019
Views:
1471
Contributors