Environment
- Carbon Black Cloud Console: All Versions
- Endpoint Standard Sensor: 3.2.x - 3.5.x
- Microsoft Windows: All Supported Versions
- Local Scanner Enabled in Policy
Symptoms
Cause
- Initial reputation from Local/AV Scan added to reputation database (local to machine)
- Reputation downgraded in PSC to Adaptive White, Common White, Not Listed, or Unknown
- Initial reputation Known Malware, Suspect Malware, PUP/PUA remains in effect due to higher priority
Resolution
Upgrade the affected sensor to 3.6.0.1719 or later
Additional Notes
Although upgrading to 3.6.0 is strongly suggested, following are workarounds for versions prior to 3.6.0:
For 3.5.x and higher sensors:
- Use an authenticated RepCli user, try the following force the scanner to rescan the file:
repcli localScanner scan "Path\filename.exe"
- To validate the file's reputation locally, run:
repcli find -rep %sha256%
repcli find -rep binaryname.exe
Related Content