Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Cb Defense: Why isn't the reputation updated to LOCAL WHITE?

Cb Defense: Why isn't the reputation updated to LOCAL WHITE?

Environment

  • Cb Defense - All Versions.
  • Sensor version 3.0 and above.

Question

Why isn't the reputation updated from NOT_LISTED to LOCAL_WHITE when the Certificate or IT Tools whitelisting methods are used?

Answer

  • The hash reputation will always be displayed in the Investigate > Application tabs: Selected App, Target App, Parent App.
  • The LOCAL_WHITE reputation is not hash based. It applies to pre-existing files (files which existed prior to the sensor installation), as well as files signed by a whitelisted certificate, or files that are created by a whitelisted IT Tool.
  • This behavior occurs by design for increased visibility especially if the application was updated to a Malware reputation.

Additional Notes

To see if the Certificate or IT Tools reputation was applied to the application when it executed, you can check the event details. In the event details, the "App Reputation (applied, [source])" field will display the reputation applied at the time of the event.

The [source] field will display the source of the file's reputation when it was applied: Ex: pre-existing, cert, etc..

For instance, in the example below, the reputation of NOT_LISTED is the hash based reputation, but the LOCAL_WHITE reputation was applied because the certificate of the file was whitelisted.

App Reputation: NOT_LISTED App Reputation (applied, cert whitelisting): LOCAL_WHITE

Related Content

https://community.carbonblack.com/docs/DOC-7247

Cb Defense: How to Utilize Certs Whitelist Feature

Cb Defense: How to Utilize IT Tools Whitelist Feature

Cb Defense: Difference in whitelisting by hash versus Certs or IT Tools

Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎12-17-2017
Views:
1091
Contributors