Carbon Black Cloud: Why Are Reputations Different Between VirusTotal and the Web Console?
Carbon Black Cloud Web Console: All Versions
Carbon Black Cloud Sensor: All Versions
Why does the reputation of a hash in Carbon Black Cloud differ from the reputation of the same hash in VirusTotal?
Carbon Black Cloud uses the CB Collective Defense Cloud as its main source of reputation information.
The Collective Defense Cloud does not ingest malware (or reputations in general) from VirusTotal.
The presence or detection of a file in VirusTotal does not indicate that the Carbon Black Cloud will have a reputation on that file, or that the reputations will match.
Carbon Black has multiple methods for ingesting files, and leverage a number of internal and external data sources to generate reputation. While a single source of information may be valuable, it does not always mean we will see the same file as malicious.
From the Alerts and Investigate Page, there is an option to Take Action > "Find in VirusTotal for a process. This option has led some to believe the reputations should match, but this is not the case. This option allows CBC Administrators to check on the reputation of a given hash via another source which is publicly available.