Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Endpoint Standard: How to Confirm Applied / Effective Reputation in Events

Endpoint Standard: How to Confirm Applied / Effective Reputation in Events

Environment

  • Carbon Black Cloud Console: All Versions
    • Endpoint Standard (was CB Defense)
  • Carbon Black Cloud Sensor: 2.0.x.x and Higher
  • Apple macOS: All Supported Versions
  • Microsoft Windows: All Supported Versions

Objective

This article provides the introduction to confirm the effective or applied reputation in events from VMware Carbon Black Cloud Console

Resolution

Alert Triage page

  1. Log into Console
  2. Go to Alerts page and locate desired Alert (alert_id)
  3. Go to Alert Triage page for alert_id
  4. Expand Event details below process tree
  5. Review details of desired process for event_id of interest (Parent, Process, or Target)
  6. Effective reputation is what reputation was applied at time of event on endpoint

Additional Notes

Reputation FieldDescription
Parent reputation
Process reputation
Target reputation
Reputation in Carbon Black Cloud as of the time of the Event; differences between this and effective reputation indicate the Sensor did not have this reputation at the time of the Event
Parent effective reputation
Process effective reputation
Target effective reputation
Reputation the Sensor had in memory at the time of the Event, and which was used in making Policy Action decisions
Parent effective reputation source
Process effective reputation source
Target effective reputation source
  • Approved Database (was white database): Sensor applied the Predictive Security Cloud (PSC) Whitelist Database
  • AV (was AV scan): Reputation came from Local Scanner (Windows only)
  • Cloud: Reputation came from Carbon Black Cloud
  • Cert (was cert whitelisting/approval): Reputation came from Cert Approval, resulting in LOCAL_APPROVED_LIST reputation
  • Hash Rep (was hash reputation list): Reputation came from Company Approval/Banning (was Whitelist/Blacklist)
  • Ignore: Reputation assigned to VMware Carbon Black files
  • IT tools: Reputation came from IT Tools Approval, resulting in LOCAL_APPROVED_LIST reputation
  • Pre-existing: Reputation came from being identified as a "Pre-existing" file (typically via Background Scan), resulting in LOCAL_APPROVED_LIST reputation

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎03-23-2022
Views:
219
Contributors