Environment
- Carbon Black Cloud Console: All Versions
- Endpoint Standard Sensor: All Versions
- Microsoft Windows: All Supported Versions
- Apple MacOS: All Supported Versions
Question
How do reputations work in Carbon Black Cloud (CBC)? Is there a set order for which reputation gets used if there is more than one?
Answer
The following reputations can be found in CBC. Different reputations have different priorities, which affects the triggering of Alerts, relative Priority Scores, Policy Actions (deny, terminate, allow), etc.
Priority (descending order) | Reputation | Description |
---|
1 | Ignore | Highest Priority. Files have full permissions to run by Carbon Black, typically Carbon Black products |
---|
2 | Company Allowed | Hashes manually added into Company Allowed List (Endpoint Standard: How to add a SHA256 hash to Approved/Banned List) |
---|
3 | Company Banned | Hashes manually added into Company Banned (Endpoint Standard: How to add a SHA256 hash to Approved/Banned List) |
---|
4 | Trusted White | Known good by Carbon Black from the cloud or/and local scanner |
---|
5 | Known Malware | Known bad by Carbon Black from the cloud or/and local scanner |
---|
6 | Suspect/Heuristic Malware | Suspect malware detected by Carbon Black, but not necessarily malicious |
---|
7 | Adware/PUP Malware | Adware and Potential Unwanted Programs detected by Carbon Black |
---|
8 | Local White | Any of the following conditions:
|
---|
9 | Common White | Any of the following conditions:
- Hash not on any known good or known bad lists AND file is signed
- Hash previously analyzed AND not on any known good or known bad lists
|
---|
10 |
Not Listed/Adaptive White
|
|
---|
11 | Unknown | Lowest Priority. Sensor observes file drop, but does not yet have reputation from the cloud or local scanner (Cb Defense: Difference Between "Not_listed" and "Unknown" Reputation ) |
---|
Additional Notes
- The Reputation displayed under the App tabs (Parent, Selected, Target) on the Investigate page is the current reputation in the Predictive Security Cloud (PSC)
- Within the details of an Event (expanded Event information), there can be two reputations per hash/application.
- (Parent, App, Target) reputation: the cloud reputation available at the time of the Event, primarily for informational purposes
- (Parent, App, Target) reputation (applied, <source>): the reputation available to the CBC Sensor on the endpoint at the time of the Event, this is the Reputation which influences Policy Actions
- Each time a given hash tries to run a new request for Reputation occurs
- If a file receives a higher-priority reputation on a new execution, the new reputation will override the older, lower-priority reputation.
Related Content