Carbon Black Cloud: Why Are Reputations Different Between VirusTotal and the Web Console?
Article ID: 290033
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Why does the reputation of a hash in Carbon Black Cloud differ from the reputation of the same hash in VirusTotal?
Environment
- Carbon Black Cloud Web Console: All Versions
- Carbon Black Cloud Sensor: All Versions
Resolution
- Carbon Black Cloud uses the CB Collective Defense Cloud as its main source of reputation information.
- The Collective Defense Cloud does not ingest malware (or reputations in general) from VirusTotal.
- The presence or detection of a file in VirusTotal does not indicate that the Carbon Black Cloud will have a reputation on that file, or that the reputations will match.
Additional Information
- Carbon Black has multiple methods for ingesting files, and leverage a number of internal and external data sources to generate reputation. While a single source of information may be valuable, it does not always mean we will see the same file as malicious.
- From the Alerts and Investigate Page, there is an option to Take Action > "Find in VirusTotal for a process. This option has led some to believe the reputations should match, but this is not the case. This option allows CBC Administrators to check on the reputation of a given hash via another source which is publicly available.
- If there are other reasons (e.g. Known good software, seemingly malicious behavior is actually legitimate, etc..) to believe that a process reputation is legitimate and the CBC reputation is incorrect (false positive) , please collect the information requested in https://community.carbonblack.com/t5/Knowledge-Base/All-Products-How-to-report-Malware-False-Positives-to-VMware/ta-p/101821 and Open a Support Case
Feedback
Yes
No
Powered by
