Version
Cb Defense - All Backend & Sensor Versions
Topic
What is the difference between "Not_listed" and "Unknown" reputation?
Q/A
Question 1
What is the "Unknown" reputation?
Answer
"Unknown" reputation indicates that there is no response from any of the reputation sources normally used by Cb Defense Sensor (Local Scanner or Cloud, including user-defined Whitelist/Blacklist).
Question 2
In which situation will an app have "Unknown" reputation?
Answer
"Unknown" reputation is assigned to an application dropped on the device when sensor doesn’t have Local Scanner feature enabled (see Cb Defense: How To Configure Local AV Scan) and no network connection is available to Cb Defense Cloud, i.e. reputation cannot be established from either source.
Question 3
What is the "Not_listed" reputation?
Answer
"Not_listed" reputation is based on the response from Local Scanner or Cloud. It means that after checking the hash, no record could be found about it, i.e. it is not listed in the reputation database.
Question 4
In which situation will an app have "Not_listed" reputation?
Answer
"Not_listed" reputation is assigned to an application when it is dropped on the device and sensor successfully checks its hash with Local Scanner or Cloud, but cannot find any information/record about it.
Question 5
What is the difference between "Not_listed" and "Unknown" reputation?
Answer
"Unknown" means sensor is unable to check any reputation source (Local Scanner or Cloud) for that application. Once the sensor has Local Scanner feature enabled or re-establishes connection to Cb Defense Cloud, "Unknown" reputation will be updated.
"Not_listed" means sensor successfully checked app reputation with Local Scanner, Cloud, or both, but no record was found of its reputation. "Not_listed" reputation will be updated after new reputation information is available from either Local Scanner or Cloud.
Question 6
What is the benefit of a "Blocking and Isolation" policy rule based on "Unknown" reputation?
Answer
Such rule can help prevent new applications from executing or performing certain operations before their reputation can be established, thus reducing security risks (e.g. a laptop of a traveling employee who stays offline for a while, but copies new files to the device from a USB Flash drive ). By nature, a rule based on "Unknown" reputation is likely to produce some false positives, result in blocking/termination of legitimate applications that are new to the device while it's offline. Enabling Local Scanner feature of Cb Defense Windows Sensor can help strengthen offline protection while reducing the chance of a common application receiving "Unknown" reputation.
Question 7
What is the benefit of a "Blocking and Isolation" policy rule based on "Not_listed" reputation?
Answer
Such rule can help prevent applications whose reputation cannot be definitively established from executing or performing certain operations that may be indicative of a malicious activity (e.g. zero-day or polymorphic malware; custom scripts, Office, PDF documents that may contain malicious payload). By nature, a rule based on "Not_listed" reputation is likely to produce some false positives, result in blocking/termination of legitimate applications, particularly when installing latest software updates. To reduce the chance of false positives such rule is best used in conjunction with various whitelisting methods offered by Cb Defense, including Certs and IT Tools whitelisting (see Cb Defense: Methods to Whitelist Applications).
Related Content
Cb Defense: Difference in whitelisting by hash versus Certs or IT Tools
Cb Defense: File Reputation Priority
