Environment
- Carbon Black Console: All Versions
Question
What do the Reputation values mean for different locations on the Investigate Page?
Answer
There are three different reputations which can be seen for all applications tied to an Event. The table below provides more detail
Reputation types
| Name | Investigate page Location | Description |
|---|
| Reputation | Selected/Target/Parent App tabs, above Event list | Current reputation in the Carbon Black Cloud (Formerly Predictive Security Cloud - PSC) |
| App/Parent/Target Reputation | Expanded Event details | Carbon Black Cloud reputation for hash, matched to the time of the Event after uploading to the Carbon Black Cloud for analysis |
| App/Parent/Target Reputation (applied, {source}) | Expanded Event details | Highest priority reputation (from all sources) the Sensor had at the time of the Event; used to determine whether to take action based on Policy Rules. Sent up to the Carbon Black Cloud from the Sensor |
Reputation sources
| Source | Description |
|---|
| cloud | Sensor applied the hash reputation from Carbon Black Cloud |
| AV scan | Sensor applied the hash reputation from local AV scanner |
| pre-existing | Sensor treated the hash as "Pre-existing" file, and gave it a "Local_white" reputation |
| cert whitelisting | Sensor applied the Cert Approved list to give this hash a "Local_white" reputation |
| IT tools | Sensor applied the IT Tools Approved list to give this hash a "Local_white" reputation |
| hash reputation list | Sensor applied the Company Approved list/Banned list database reputation |
| white database | Sensor applied the Carbon Black Cloud Approved list Database |
Additional Notes
- The Reputation in the Tabs for Selected, Parent and Target Apps is the current Carbon Black Cloud Reputation for the Hash
- While the Event Details will show the the data at time of execution, these Tabs are the current values for comparison and to show updates
Related Content
