Carbon Black Cloud: Why Are Reputations Different Between VirusTotal and the Web Console?
search cancel

Carbon Black Cloud: Why Are Reputations Different Between VirusTotal and the Web Console?


Article ID: 290033


Updated On:


Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)


Why does the reputation of a hash in Carbon Black Cloud differ from the reputation of the same hash in VirusTotal?


  • Carbon Black Cloud Web Console: All Versions
  • Carbon Black Cloud Sensor: All Versions


  • Carbon Black Cloud uses the CB Collective Defense Cloud as its main source of reputation information.
  • The Collective Defense Cloud does not ingest malware (or reputations in general) from VirusTotal.
  • The presence or detection of a file in VirusTotal does not indicate that the Carbon Black Cloud will have a reputation on that file, or that the reputations will match.

Additional Information

  • Carbon Black has multiple methods for ingesting files, and leverage a number of internal and external data sources to generate reputation. While a single source of information may be valuable, it does not always mean we will see the same file as malicious.
  • From the Alerts and Investigate Page, there is an option to Take Action > "Find in VirusTotal for a process. This option has led some to believe the reputations should match, but this is not the case. This option allows CBC Administrators to check on the reputation of a given hash via another source which is publicly available.
  • If there are other reasons (e.g. Known good software, seemingly malicious behavior is actually legitimate, etc..) to believe that a process reputation is legitimate and the CBC reputation is incorrect (false positive) , please collect the information requested in and Open a Support Case