Environment
- Cb Defense Web Console: All Versions
- Cb Defense Sensor: All Versions
- Microsoft Windows: All Supported Versions
- Apple Mac OS: All Supported Versions
Question
What does HEURISTIC mean as an app reputation in the Defense investigate page?
Answer
- HEURISTIC reputation is applied when a file is suspected to be malicious based on a set of attributes
- It generally indicates a level of confidence above SUSPECT_MALWARE, but still below KNOWN_MALWARE reputation
- When it comes to enforcing policy rules, HEURISTIC is treated the same as SUSPECT_MALWARE
Additional Notes
- As Cb Defense employs a variety of analysis techniques, reputation of a file can change over time as different techniques take effect (e.g. be upgraded to KNOWN_MALWARE)
- Other values that can be returned for suspicious files are PUA (Potentially Unwanted Application, also known as PUP) and ADWARE; PUA/PUP indicates the lowest level of confidence; ADWARE is a step above that followed by SUSPECT_MALWARE and HEURISTIC
- PUP and ADWARE are separate from SUSPECT_MALWARE (includes HEURISTIC, per this article) and KNOWN_MALWARE (full confidence) in policy rules
Related Content
Cb Defense: Reputation Priority
Cb Defense: How are Reputations Assigned?
Cb Defense: How Are Reputations Assigned for Pre-Existing Files?
Cb Defense: How Are Reputations Assigned for New Files?
Cb Defense: How Are Reputations Assigned for Network Files?
Cb Defense: How to Confirm the Applied Hash Reputation in Events
Cb Defense: Difference Between "Not_listed" and "Unknown" Reputation
Cb Defense: Difference in whitelisting by hash versus Certs or IT Tools