Endpoint Standard: Reputation Priority

Endpoint Standard: Reputation Priority

Environment

  • Carbon Black Cloud Console: All Versions
  • Endpoint Standard Sensor: All Versions
  • Microsoft Windows: All Supported Versions
  • Apple MacOS: All Supported Versions

Question

How do reputations work in Carbon Black Cloud (CBC)? Is there a set order for which reputation gets used if there is more than one?

Answer

The following reputations can be found in CBC. Different reputations have different priorities, which affects the triggering of Alerts, relative Priority Scores, Policy Actions (deny, terminate, allow), etc.
 
Priority (descending order)ReputationDescription
1IgnoreHighest Priority. Files have full permissions to run by Carbon Black, typically Carbon Black products
2Company AllowedHashes manually added into Company Allowed List
(Endpoint Standard: How to add a SHA256 hash to Approved/Banned List)
3Company BannedHashes manually added into Company Banned
(Endpoint Standard: How to add a SHA256 hash to Approved/Banned List)
4Trusted WhiteKnown good by Carbon Black from the cloud or/and local scanner
5Known MalwareKnown bad by Carbon Black from the cloud or/and local scanner
6Suspect/Heuristic MalwareSuspect malware detected by Carbon Black, but not necessarily malicious
7Adware/PUP MalwareAdware and Potential Unwanted Programs detected by Carbon Black
8Local WhiteAny of the following conditions:
9Common WhiteAny of the following conditions:
  • Hash not on any known good or known bad lists AND file is signed
  • Hash previously analyzed AND not on any known good or known bad lists
10

Not Listed/Adaptive White

11UnknownLowest Priority. Sensor observes file drop, but does not yet have reputation from the cloud or local scanner
(Cb Defense: Difference Between "Not_listed" and "Unknown" Reputation )

Additional Notes

  • The Reputation displayed under the App tabs (Parent, Selected, Target) on the Investigate page is the current reputation in the Predictive Security Cloud (PSC)
  • Within the details of an Event (expanded Event information), there can be two reputations per hash/application.
    • (Parent, App, Target) reputation: the cloud reputation available at the time of the Event, primarily for informational purposes
    • (Parent, App, Target) reputation (applied, <source>): the reputation available to the CBC Sensor on the endpoint at the time of the Event, this is the Reputation which influences Policy Actions
  • Each time a given hash tries to run a new request for Reputation occurs
  • If a file receives a higher-priority reputation on a new execution, the new reputation will override the older, lower-priority reputation.

Related Content


Was this article helpful? Yes No
91% helpful (10/11)
Article Information
Author:
Creation Date:
‎06-09-2017
Views:
20664
Contributors