Knowledge Base

Yes

Environment

This article provides the introduction to confirm the effective or applied reputation in events from VMware Carbon Black Cloud Console

Log into Console
Go to Alerts page and locate desired Alert (alert_id)
Go to Alert Triage page for alert_id
Expand Event details below process tree
Review details of desired process for event_id of interest (Parent, Process, or Target)
Effective reputation is what reputation was applied at time of event on endpoint

Reputation Field	Description
Parent reputation Process reputation Target reputation	Reputation in Carbon Black Cloud as of the time of the Event; differences between this and effective reputation indicate the Sensor did not have this reputation at the time of the Event
Parent effective reputation Process effective reputation Target effective reputation	Reputation the Sensor had in memory at the time of the Event, and which was used in making Policy Action decisions
Parent effective reputation source Process effective reputation source Target effective reputation source	Approved Database (was white database): Sensor applied the Predictive Security Cloud (PSC) Whitelist Database AV (was AV scan): Reputation came from Local Scanner (Windows only) Cloud: Reputation came from Carbon Black Cloud Cert (was cert whitelisting/approval): Reputation came from Cert Approval, resulting in LOCAL_APPROVED_LIST reputation Hash Rep (was hash reputation list): Reputation came from Company Approval/Banning (was Whitelist/Blacklist) Ignore: Reputation assigned to VMware Carbon Black files IT tools: Reputation came from IT Tools Approval, resulting in LOCAL_APPROVED_LIST reputation Pre-existing: Reputation came from being identified as a "Pre-existing" file (typically via Background Scan), resulting in LOCAL_APPROVED_LIST reputation