Cb Defense: Why isn't the reputation updated to LOCAL WHITE?
Cb Defense - All Versions.
Sensor version 3.0 and above.
Why isn't the reputation updated from NOT_LISTED to LOCAL_WHITE when the Certificate or IT Tools whitelisting methods are used?
The hash reputation will always be displayed in the Investigate > Application tabs: Selected App, Target App, Parent App.
The LOCAL_WHITE reputation is not hash based. It applies to pre-existing files (files which existed prior to the sensor installation), as well as files signed by a whitelisted certificate, or files that are created by a whitelisted IT Tool.
This behavior occurs by design for increased visibility especially if the application was updated to a Malware reputation.
To see if the Certificate or IT Tools reputation was applied to the application when it executed, you can check the event details. In the event details, the "App Reputation (applied, [source])" field will display the reputation applied at the time of the event.
The [source] field will display the source of the file's reputation when it was applied: Ex: pre-existing, cert, etc..
For instance, in the example below, the reputation of NOT_LISTED is the hash based reputation, but the LOCAL_WHITE reputation was applied because the certificate of the file was whitelisted.