How to Confirm Applied / Effective Reputation in Events
book
Article ID: 289714
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
This article provides the introduction to confirm the effective or applied reputation in events from VMware Carbon Black Cloud Console
Environment
Carbon Black Cloud Console: All Versions
Endpoint Standard (was CB Defense)
Carbon Black Cloud Sensor: 2.0.x.x and Higher
Apple macOS: All Supported Versions
Microsoft Windows: All Supported Versions
Resolution
Alert Triage page
Log into Console
Go to Alerts page and locate desired Alert (alert_id)
Go to Alert Triage page for alert_id
Expand Event details below process tree
Review details of desired process for event_id of interest (Parent, Process, or Target)
Effective reputation is what reputation was applied at time of event on endpoint
Additional Information
Reputation Field
Description
Parent reputation Process reputation Target reputation
Reputation in Carbon Black Cloud as of the time of the Event; differences between this and effective reputation indicate the Sensor did not have this reputation at the time of the Event
Parent effective reputation Process effective reputation Target effective reputation
Reputation the Sensor had in memory at the time of the Event, and which was used in making Policy Action decisions
Approved Database (was white database): Sensor applied the Predictive Security Cloud (PSC) Whitelist Database
AV (was AV scan): Reputation came from Local Scanner (Windows only)
Cloud: Reputation came from Carbon Black Cloud
Cert (was cert whitelisting/approval): Reputation came from Cert Approval, resulting in LOCAL_APPROVED_LIST reputation
Hash Rep (was hash reputation list): Reputation came from Company Approval/Banning (was Whitelist/Blacklist)
Ignore: Reputation assigned to VMware Carbon Black files or for the Reputation source it is default if no source from endpoint.
IT tools: Reputation came from IT Tools Approval, resulting in LOCAL_APPROVED_LIST reputation
Pre-existing: Reputation came from being identified as a "Pre-existing" file (typically via Background Scan), resulting in LOCAL_APPROVED_LIST reputation