Some Microsoft Office file types (.xlsx, .docx, etc) that include macro values inside are getting falsely marked as "KNOWN_MALWARE" or "PUP" reputation. These malicious reputations are leading to blocks in the Carbon Black Cloud console for older sensor versions that are still using the Avira reputation service (4.0.3 and lower versions).

• Carbon Black Cloud Console: Current Version
• Carbon Black Cloud Windows Sensor: 4.0.3 and Lower
• Avira Cloud Reputation service
• Microsoft Office: All Versions

Avira Cloud Reputation service uses their own analytics to create reputation values for files and due to some change in their logic the reputation of some macro values in Microsoft Office files are getting tagged as malicious. 

1. Submit a Support Case for the Carbon Black Cloud team to contact Avira Cloud Reputation Support and have the hash/binary file uploaded for re-analysis and reputation update.
2. WORKAROUND: Add the SHA256 Hash value of the "KNOWN_MALWARE" file to the Approved Reputation List to allow the file to execute until the reputation can be re-evaluated.