Security Connect 2021 is coming Jun 3. Register for free today!

Carbon Black Cloud: How Are Reputations Assigned for New Files?

Carbon Black Cloud: How Are Reputations Assigned for New Files?

Environment

  • Carbon Black Cloud (Formerly PSC) Console: All Versions
  • Carbon Black Cloud (Formerly PSC) Sensor: All Supported Versions
  • Microsoft Windows: All Supported Versions
  • Apple MacOS: All Supported Versions

Question

How are reputations assigned for New Files?

Answer

  1. Carbon Black Cloud allows the initial copying or creation of all files to a device\
  2. A reputation request is queued upon file creation
  3. This request is sent in the next send window (every five minutes)
  4. If another file attempts to access the file, the sensor does not generate another reputation request
  5. The sensor will apply an UNKNOWN reputation until it receives a reputation from the Carbon Black Cloud
- Background Scan checks only apply to pre-existing files so it is not applicable here
- Local Scanner checks only applies when the files is executed so it also doesn’t apply
- Unknown reputation typically means the sensor can not reach the Carbon Black Cloud Backend
 
On-Access File Scan ModeDelay Execute for Cloud ScanReputation Assignment Process
DisabledN/A
  1. The sensor sends an expedited reputation request upon execute to the Carbon Black Cloud
  2. If the Carbon Black Cloud does not return a reputation within 15 seconds, then the sensor will use an UNKNOWN reputation until the reputation is refreshed by the Carbon Black Cloud post-execute
  3. The reputation will be applied to the file as soon as the Carbon Black Cloud returns a reputation
Aggressive or NormalDisabled
  1. The sensor concurrently requests a reputation from the Carbon Black Cloud and local scanner
  2. If the local scanner returns a reputation first then apply the reputation
  3. If the Carbon Black Cloud returns a reputation first then apply reputation unless:
    • The PSC reputation is NOT_LISTED. If so, then wait up to 5 seconds for local scanner
    • If local scanner doesn't return in 5 seconds then assign NOT_LISTED reputation
  4. NO REPUTATION: Use Unknown if both requests time out
Aggressive or NormalEnabled
  1. The sensor concurrently requests a reputation from the Carbon Black Cloud and local scanner
  2. If the local scanner returns a reputation first then apply the reputation unless:
    • The local scanner reputation is NOT_LISTED. If so, then wait up to 15 seconds for the PSC
    • If the Carbon Black Cloud doesn't return in 15 seconds then assign NOT_LISTED reputation
  3. If the Carbon Black Cloud returns first then apply reputation unless:
    • The Carbon Black Cloud reputation is NOT_LISTED. If so, then wait up to 5 seconds for local scanner
    • If local scanner doesn't return in 5 seconds then assign NOT_LISTED reputation
  4. NO REPUTATION: Use Unknown if both requests time out
- The Delay Execute for Cloud Scan option only applies if the Local Scanner is active on the device and the local scanner returns a NOT_LISTED reputation
- The Delay Execute for Cloud Scan option only applies to new files. It does not apply to pre-existing files. So if malware already existed on the machine before the sensor was installed, the delay execute feature will NOT prevent the malware from running.  This can be addressed using Background Scan.

Additional Notes

  • Pre-Existing Files: Files that existed on the device prior to the sensor being installed
  • New Files: Files that are created or downloaded on the device after the sensor is installed
  • Network Files: Files that exist on network drives
  • No Execute: Pre-existing files which never executed or new files that were dropped or created on the hard disk but never executed
  • Pre-Execute: Pre-execute refers to the first time that a file is attempting to execute
  • Post-Execute: Post-execute refers to files which are already running or which have run before
  • Definite Reputation: Anything other than NOT_LISTED or UNKNOWN

Related Content


Was this article helpful? Yes No
0% helpful (0/1)
Article Information
Author:
Creation Date:
‎07-31-2018
Views:
1667
Contributors