Why isn't the file reputation permanently updated from NOT_LISTED to LOCAL_WHITE when the Certificate or IT Tools whitelisting methods are used?

• Endpoint Standard (Formerly CB Defense) Sensor: All Supported Versions
• Carbon Black Cloud: All Versions

• The hash reputation will always be displayed in the Investigate > Application tabs: Selected App, Target App, Parent App
• The LOCAL_WHITE reputation is not hash based. It applies to pre-existing files (files which existed prior to the sensor installation), as well as files signed by a whitelisted certificate, or files that are created by a whitelisted IT Tool
• This behavior occurs by design for increased visibility especially if the application was updated to a Malware reputation

To see if the Certificate or IT Tools reputation was applied to the application when it executed, you can check the event details. In the event details, the "App Reputation (applied, [source])" field will display the reputation applied at the time of the event.

For instance, in the example below, the reputation of NOT_LISTED is the hash based reputation, but the LOCAL_WHITE reputation was applied because the certificate of the file was whitelisted.