Other resources

Release Notes

Reputation overview

With Reputation, you can build a repository of reputation data from various sources, such as Palo Alto WildFire, ReversingLabs, and VirusTotal. These sources determine threat levels for file hashes. Other Tanium products, such as Tanium™ Trace, can use this data to give an indication of potentially malicious files. You can also send reputation data to supported Tanium™ Connect destinations.

The reputation database is a cache that consists of reputation items. When configured, reputation items are scanned by a reputation source. A reputation source is a service that determines whether a reputation item is considered to be malicious, non-malicious, suspicious, or has an unknown status.

Reputation item life cycle

A reputation item remains in the database as long as the Tanium processes are accessing the status of the item. The status of the reputation items is kept up to date based on the settings for the reputation service and provider.

Reputation items are added to the reputation database

As long as the maximum database size is not exceeded, reputation items get added to the reputation database in the following scenarios:

  • When a new hash gets identified by a Tanium process, such as Trace.
  • When a list of hashes gets sent to Connect from a saved question connection source.

When the reputation items are first added, it is unknown whether they are malicious. The reputation item state most likely starts out as unknown or pending.

Reputation items are scanned

How long it takes for an initial scan of the items depends on your configured reputation service settings.

If you have multiple reputation service providers configured, a reputation item is created for each reputation source. For example, for a single hash, three separate reputation items are created for WildFire, ReversingLabs, and VirusTotal.

WildFire

All reputation items are sent to WildFire as they are received.

ReversingLabs A1000

The settings for ReversingLabs A1000 determine how many hashes are sent at a time, and how many times the API is called in one minute. For more information about these settings, see Configure ReversingLabs A1000 reputation source.

ReversingLabs TitaniumCloud

The settings for ReversingLabs TitaniumCloud determine how many hashes are sent at a time, and how many times the API is called in one minute. For more information about these settings, see Configure ReversingLabs TitaniumCloud reputation source.

VirusTotal

The settings for VirusTotal determine how many hashes are sent at a time, and how many times the API is called in one minute. For more information about these settings, see Configure VirusTotal reputation source.

Reputation items are rescanned

Reputations might change for reputation items over time. When an item is rescanned, it is checked against the reputation sources again. For more information about configuring the rescanning properties, see Configure reputation service settings.

The Rescan Item Interval setting is global for all reputation provider types. The value determines how often items get rescanned. For example, if this value is set to 1 day, all of the items in the database get checked every day.

Wildfire

Items are only scanned on the Rescan Item Interval value.

ReversingLabs A1000

You can configure items to be rescanned as ReversingLabs A1000 gets new reputations for hashes.

The Maximum Age of New Items setting gets compared with the First Seen attribute in ReversingLabs A1000. The First Seen attribute is the date at which ReversingLabs A1000 first recorded any instance of that hash. If the item is less than the configured maximum, the item is rescanned. How often the new items are rescanned is determined by the Rescan New Item Interval setting.

ReversingLabs TitaniumCloud

You can configure items to be rescanned as ReversingLabs TitaniumCloud gets new reputations for hashes.

The Maximum Age of New Items setting gets compared with the First Seen attribute in ReversingLabs TitaniumCloud. The First Seen attribute is the date at which ReversingLabs TitaniumCloud first recorded any instance of that hash, from any ReversingLabs TitaniumCloud customer. If the item is less than the configured maximum, the item is rescanned. How often the new items are rescanned is determined by the Rescan New Item Interval setting.

VirusTotal

If you have a paid API key for VirusTotal, you can configure items to be rescanned as VirusTotal gets new reputations for hashes.

The Maximum Age of New Items setting gets compared with the First Seen attribute in VirusTotal. The First Seen attribute is the date at which VirusTotal first recorded any instance of that hash, from any VirusTotal customer. If the item is less than the configured maximum, the item is rescanned. How often the new items are rescanned is determined by the Rescan New Item Interval setting.

When you are configuring these settings, be careful to keep the number of API calls within the bounds of your agreement with VirusTotal.

Items are removed from the reputation database

When the number of days in the Remove Item Interval value passes, and that item has not been queried by a saved question or other Tanium process to check its status, the item is removed from the database.

A reputation item can be re-added to the database if the hash gets found again.

Whitelist/Blacklist

The Reputation Whitelist/Blacklist is a list of reputation hashes that are known to be false detections or known to be malicious. You can add or delete specific hashes from the Whitelist/Blacklist, or you can export and import the entire list.

For more information, see Managing whitelist or blacklist data.

Last updated: 9/3/2019 5:03 PM | Feedback