Environment
- Carbon Black Cloud Web Console: All Versions
- Carbon Black Cloud Sensor: All Versions
Question
Why does the reputation of a hash in Carbon Black Cloud differ from the reputation of the same hash in VirusTotal?
Answer
- Carbon Black Cloud uses the CB Collective Defense Cloud as its main source of reputation information.
- The Collective Defense Cloud does not ingest malware (or reputations in general) from VirusTotal.
- The presence or detection of a file in VirusTotal does not indicate that the Carbon Black Cloud will have a reputation on that file, or that the reputations will match.
Additional Notes
- Carbon Black has multiple methods for ingesting files, and leverage a number of internal and external data sources to generate reputation. While a single source of information may be valuable, it does not always mean we will see the same file as malicious.
- From the Alerts and Investigate Page, there is an option to Take Action > "Find in VirusTotal for a process. This option has led some to believe the reputations should match, but this is not the case. This option allows CBC Administrators to check on the reputation of a given hash via another source which is publicly available.
- If there are other reasons (e.g. Known good software, seemingly malicious behavior is actually legitimate, etc..) to believe that a process reputation is legitimate and the CBC reputation is incorrect (false positive) , please collect the information requested in All Products: How to report Malware False Positives to VMware Carbon Black? and Open a Support Case
Related Content
