The case portal issue has been resolved. If you are still experiencing any issues, please let us know at CB-uex@vmware.com

Cb Defense: How to Confirm the Applied Hash Reputation in Events

Cb Defense: How to Confirm the Applied Hash Reputation in Events

Environment

  • Cb Defense All Backends
  • Cb Defense Sensor: Windows 2.0+, Mac 2.0+

Objective

This article provides the introduction to confirm the applied hash reputation in events from Cb Defense Console.

Resolution

Steps:

  1. Log into Cb Defense Console.
  2. Locate the event you want to check in Investigate Page
  3. Expand the event details by clicking the arrow ">" on the left side of the event entry
  4. Look for the sensor applied reputation by finding "(applied, xxx)" information in event details:
    • "(applied, cloud)": Sensor applied the hash reputation from CDC cloud.
    • "(applied, AV scan)": Sensor applied the hash reputation from local AV scanner.
    • "(applied, pre-existing)": Sensor treated the hash as "Pre-existing" file, and gave it a "Local_white" reputation.
    • "(applied, cert whitelisting)": Sensor applied the Cert Whitelist to give this hash a "Local_white" reputation.
    • "(applied, IT tools)": Sensor applied the IT Tools Whitelist to give this hash a "Local_white" reputation.
    • "(applied, hash reputation list)": Sensor applied the Company Whitelist/Blacklist database reputation.
    • "(applied, white database)": Sensor applied the Predictive Security Cloud (PSC) Whitelist Database.

Additional Notes

  • Reputation information in the event details without "(applied, xxx)" only indicates what was the Cloud reputation of the hash at the event time, which is not necessarily the reputation the sensor applied.
    • For example, "Target Reputation: TRUSTED_WHITE_LIST", "App reputation: TRUSTED_WHITE_LIST", etc.
  • Reputation information located in "Selected App", "Parent App" or "Target App" tabs is all Current Cloud reputation of the hash.
    • For example, "Reputation: TRUSTED_WHITE_LIST", "Reputation: KNOWN_MALWARE", etc.

Related Content

Cb Defense: How to Confirm Reputation of a Hash at the Time of Policy Action

Cb Defense: Reputation Priority

Cb Defense: Methods to Whitelist Applications

Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎06-25-2018
Views:
2072
Contributors