• Known-good application receives malware reputation via Local Scanner

  Reputation (applied, AV scan)

• Application submitted to Carbon Black as a potential false positive 
• Reputation corrected in Predictive Security Cloud (PSC)
• Known-good application continues to receive malware reputation via Local Scanner as noted above

• Carbon Black Cloud Console: All Versions
• Endpoint Standard Sensor: 3.2.x - 3.5.x
• Microsoft Windows: All Supported Versions
• Local Scanner Enabled in Policy

• Initial reputation from Local/AV Scan added to reputation database (local to machine)
• Reputation downgraded in PSC to Adaptive White, Common White, Not Listed, or Unknown
• Initial reputation Known Malware, Suspect Malware, PUP/PUA remains in effect due to higher priority

Although upgrading to 3.6.0 is strongly suggested, following are workarounds for versions prior to 3.6.0:

• For all versions, the steps in How to Add a SHA256 Hash to Approved/Banned List explain how to add the affected hash to the allow list. Note: This workaround gives the hash a higher-priority reputation than any of the malware reputations (Known Malware, Suspect Malware, PUP/PUA)

For 3.5.x and higher sensors:

• Use an authenticated RepCli user, try the following force the scanner to rescan the file:

repcli localScanner scan "Path\filename.exe"

• Or try the delay command to force a recheck at next execution time with the commands below:

• repcli hash %sha256% delay av
  
  repcli hash %sha256% delay cloud

  Where %sha256% is the actual SHA256 hash value of the file

• To validate the file's reputation locally, run:

repcli find -rep %sha256%

repcli find -rep binaryname.exe