Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Cb Defense: Difference in whitelisting by hash versus Certs or IT Tools

Cb Defense: Difference in whitelisting by hash versus Certs or IT Tools

Version

Cb Defense - Windows Sensor versions 2.0.1.x+

Cb Defense Mac Sensor starts to support Certs and IT Tools whitelisting options from Mac 3.0 sensors.

Topic

This document explains the difference in file reputation that results from whitelisting by hash (Cb Defense: How to whitelist or blacklist a hash​) versus by using Certs (Cb Defense: How to Utilize Certs Whitelist Feature​) or IT Tools (Cb Defense: How to Utilize IT Tools Whitelist Feature​) options.

Q/A

Question 1

What is the difference in file reputation when whitelisting by hash versus Certs or IT Tools?

Answer

Whitelisting by hash will result in COMPANY_WHITE_LIST reputation (aka Company Whitelist). It has the highest priority in the reputation list (Cb Defense: File Reputation Priority​)​ and no other reputation will take precedence over it. In other words, Company Whitelist reputation creates absolute trust for the whitelisted hash.

Whitelisting by Certs or IT Tools will result in LOCAL_WHITE reputation (aka Local White), which has a lower priority in the reputation list and can be overridden by reputations other than NOT_LISTED, UNKNOWN and COMMON_WHITE, i.e. the ones that are higher on the list. For example, if an application is determined to be Known Malware, it might still be blocked/terminated per policy rules despite being signed with a whitelisted Certificate. Additionally, Local White will bypass delayed execution that is normally applied to new/previously unseen files (Cb Defense: What is the "Delay Execute for Cloud Scan" policy setting?​) allowing the application to run while it's final reputation is being established in the background. In other words, Local White reputation creates temporary/initial, but not absolute trust for files signed with a whitelisted certificate (Certs) or running from a whitelisted path (IT Tools).

Question 2

In which cases will Certs Whitelist help?

Answer

Since Certs whitelisting option provides a way to give temporary/initial whitelist reputation (Local White) to files signed by trusted publishers, it is useful if there are frequent software updates from those publishers and there isn't a reputation available yet for the latest version of the application (i.e. the latest version of the application receives NOT_LISTED reputation because it's so new). Subsequently, using Certs whitelisting can help reduce unwanted blocks/terminations due to having a Blocking and Isolation policy rule based on NOT_LISTED or UNKNOWN reputation (Cb Defense: Difference Between "Not_listed" and "Unknown" Reputation ).

Question 3

In which cases will IT Tools whitelist help?

Answer

Since IT Tools whitelisting option provides a way to give temporary/initial whitelist reputation (Local White) to files that get generated by a trustful application/path (IT Tools), it is useful when new files are dropped by a trustful application or location on the disk, and the applications and locations are already trusted by the user despite not having a known good reputation (e.g. various specialized utilities or custom scripts used by organization's IT, which often receive NOT_LISTED reputation by nature). Similar to Certs, using IT Tools can help reduce unwanted blocks/terminations due to having a Blocking and Isolation policy rule based on NOT_LISTED or UNKNOWN reputation.

Labels (1)
Was this article helpful? Yes No
100% helpful (2/2)
Article Information
Author:
Creation Date:
‎06-02-2017
Views:
9803
Contributors