How to Confirm Applied / Effective Reputation in Events
search cancel

How to Confirm Applied / Effective Reputation in Events

book

Article ID: 289714

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

This article provides the introduction to confirm the effective or applied reputation in events from VMware Carbon Black Cloud Console

Environment

  • Carbon Black Cloud Console: All Versions
    • Endpoint Standard (was CB Defense)
  • Carbon Black Cloud Sensor: 2.0.x.x and Higher
  • Apple macOS: All Supported Versions
  • Microsoft Windows: All Supported Versions

Resolution

Alert Triage page

  1. Log into Console
  2. Go to Alerts page and locate desired Alert (alert_id)
  3. Go to Alert Triage page for alert_id
  4. Expand Event details below process tree
  5. Review details of desired process for event_id of interest (Parent, Process, or Target)
  6. Effective reputation is what reputation was applied at time of event on endpoint

Additional Information

Reputation Field Description
Parent reputation
Process reputation
Target reputation
Reputation in Carbon Black Cloud as of the time of the Event; differences between this and effective reputation indicate the Sensor did not have this reputation at the time of the Event
Parent effective reputation
Process effective reputation
Target effective reputation
Reputation the Sensor had in memory at the time of the Event, and which was used in making Policy Action decisions
Parent effective reputation source
Process effective reputation source
Target effective reputation source
  • Approved Database (was white database): Sensor applied the Predictive Security Cloud (PSC) Whitelist Database
  • AV (was AV scan): Reputation came from Local Scanner (Windows only)
  • Cloud: Reputation came from Carbon Black Cloud
  • Cert (was cert whitelisting/approval): Reputation came from Cert Approval, resulting in LOCAL_APPROVED_LIST reputation
  • Hash Rep (was hash reputation list): Reputation came from Company Approval/Banning (was Whitelist/Blacklist)
  • Ignore: Reputation assigned to VMware Carbon Black files or for the Reputation source it is default if no source from endpoint. 
  • IT tools: Reputation came from IT Tools Approval, resulting in LOCAL_APPROVED_LIST reputation
  • Pre-existing: Reputation came from being identified as a "Pre-existing" file (typically via Background Scan), resulting in LOCAL_APPROVED_LIST reputation