Environment
- Cb Defense - All Versions.
- Sensor version 3.0 and above.
Question
Why isn't the reputation updated from NOT_LISTED to LOCAL_WHITE when the Certificate or IT Tools whitelisting methods are used?
Answer
- The hash reputation will always be displayed in the Investigate > Application tabs: Selected App, Target App, Parent App.
- The LOCAL_WHITE reputation is not hash based. It applies to pre-existing files (files which existed prior to the sensor installation), as well as files signed by a whitelisted certificate, or files that are created by a whitelisted IT Tool.
- This behavior occurs by design for increased visibility especially if the application was updated to a Malware reputation.
Additional Notes
To see if the Certificate or IT Tools reputation was applied to the application when it executed, you can check the event details. In the event details, the "App Reputation (applied, [source])" field will display the reputation applied at the time of the event.
The [source] field will display the source of the file's reputation when it was applied: Ex: pre-existing, cert, etc..
For instance, in the example below, the reputation of NOT_LISTED is the hash based reputation, but the LOCAL_WHITE reputation was applied because the certificate of the file was whitelisted.
| App Reputation: NOT_LISTED App Reputation (applied, cert whitelisting): LOCAL_WHITE |
Related Content
https://community.carbonblack.com/docs/DOC-7247
Cb Defense: How to Utilize Certs Whitelist Feature
Cb Defense: How to Utilize IT Tools Whitelist Feature
Cb Defense: Difference in whitelisting by hash versus Certs or IT Tools
