Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Endpoint Standard: How to Confirm Applied / Effective Reputation in Events

Endpoint Standard: How to Confirm Applied / Effective Reputation in Events


  • Carbon Black Cloud Console: All Versions
    • Endpoint Standard (was CB Defense)
  • Carbon Black Cloud Sensor: 2.0.x.x and Higher
  • Apple macOS: All Supported Versions
  • Microsoft Windows: All Supported Versions


This article provides the introduction to confirm the effective or applied reputation in events from VMware Carbon Black Cloud Console


Alert Triage page

  1. Log into Console
  2. Go to Alerts page and locate desired Alert (alert_id)
  3. Go to Alert Triage page for alert_id
  4. Expand Event details below process tree
  5. Review details of desired process for event_id of interest (Parent, Process, or Target)
  6. Effective reputation is what reputation was applied at time of event on endpoint

Additional Notes

Reputation FieldDescription
Parent reputation
Process reputation
Target reputation
Reputation in Carbon Black Cloud as of the time of the Event; differences between this and effective reputation indicate the Sensor did not have this reputation at the time of the Event
Parent effective reputation
Process effective reputation
Target effective reputation
Reputation the Sensor had in memory at the time of the Event, and which was used in making Policy Action decisions
Parent effective reputation source
Process effective reputation source
Target effective reputation source
  • Approved Database (was white database): Sensor applied the Predictive Security Cloud (PSC) Whitelist Database
  • AV (was AV scan): Reputation came from Local Scanner (Windows only)
  • Cloud: Reputation came from Carbon Black Cloud
  • Cert (was cert whitelisting/approval): Reputation came from Cert Approval, resulting in LOCAL_APPROVED_LIST reputation
  • Hash Rep (was hash reputation list): Reputation came from Company Approval/Banning (was Whitelist/Blacklist)
  • Ignore: Reputation assigned to VMware Carbon Black files
  • IT tools: Reputation came from IT Tools Approval, resulting in LOCAL_APPROVED_LIST reputation
  • Pre-existing: Reputation came from being identified as a "Pre-existing" file (typically via Background Scan), resulting in LOCAL_APPROVED_LIST reputation

Related Content

Was this article helpful? Yes No
No ratings
Article Information
Creation Date: