Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Why Are Reputations Different Between VirusTotal and the Web Console?

Carbon Black Cloud: Why Are Reputations Different Between VirusTotal and the Web Console?

Environment

  • Carbon Black Cloud Web Console: All Versions
  • Carbon Black Cloud Sensor: All Versions

Question

Why does the reputation of a hash in Carbon Black Cloud differ from the reputation of the same hash in VirusTotal?

Answer

  • Carbon Black Cloud uses the CB Collective Defense Cloud as its main source of reputation information.
  • The Collective Defense Cloud does not ingest malware (or reputations in general) from VirusTotal.
  • The presence or detection of a file in VirusTotal does not indicate that the Carbon Black Cloud will have a reputation on that file, or that the reputations will match.

Additional Notes

  • Carbon Black has multiple methods for ingesting files, and leverage a number of internal and external data sources to generate reputation. While a single source of information may be valuable, it does not always mean we will see the same file as malicious.
  • From the Alerts and Investigate Page, there is an option to Take Action > "Find in VirusTotal for a process. This option has led some to believe the reputations should match, but this is not the case. This option allows CBC Administrators to check on the reputation of a given hash via another source which is publicly available.
  • If there are other reasons (e.g. Known good software, seemingly malicious behavior is actually legitimate, etc..) to believe that a process reputation is legitimate and the CBC reputation is incorrect (false positive) , please collect the information requested in All Products: How to report Malware False Positives to VMware Carbon Black? and Open a Support Case

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎06-12-2018
Views:
882
Contributors