Local Reputation Service

The Local Reputation Service allows your organization to influence threat decisions by managing known good and bad files and indicators. You can supply your own local reputation data, and our system also includes managed reputation entries out of the box.

This feature is available since version 2.3.0.

Use comments in your reputation files to keep track of sources—just add a description after a comma!

Supported Data Types

Sandbox supports reputation entries for the following data types:

md5 – File hash (32-character)
sha256 – File hash (64-character)
ip – IPv4 or IPv6 addresses
domain – Network domain names
url – Full URLs
digicert_owner – Digital Certificate owners (common name / organization)

Each entry can be part of either an allow list or a block list, to determine whether files or indicators (IOCs) should be trusted or flagged.

Only allowed entries are supported for Digital Certificate owners.

Sandbox cannot verify certificates in offline environments, therefore the certificate allowlist is ignored for allow listing.

Directory Structure

Reputation data is stored in the following directories:

System-managed data: <sandbox>/transform/data/reputation/internal(Shipped with each release and updated automatically after install)
Customer-provided data: <sandbox>/transform/data/reputation/external(Customers can edit and manage this at any time)

Customer managed data takes precedence on conflict.

System managed data should not be overwritten. The system will revert any modifications on installation.

File Naming Convention

Customers can provide their reputation data in files following this naming format:

Data Type	Allow list file	Block list file
MD5	md5_allowed.txt	md5_blocked.txt
SHA256	`sha256_allowed.txt`	sha256_blocked.txt
IP	ip_allowed.txt	ip_blocked.txt
Domain	domain_allowed.txt	domain_blocked.txt
URL	url_allowed.txt	url_blocked.txt
Digital Certificate owner	digicert_owner_allowed.txt	(no block list supported)

File Format

Each file - except digicert_owner_allowed.txt - can contain single line entries as comma separated data and optional description pairs.

CSV
    
 
<data>,<optional description>
Copy

Examples:

md5_allowed.txt
    
 
d41d8cd98f00b204e9800998ecf8427e,Known good from internal tool, empty filed41d8cd98f00b204e9800998ecf8427d
Copy

For digicert_owner_allowed.txt, description is not supported.

Example:

digicert_owner_allowed.txt
    
 
CN="Trusted .Inc", O="Trusted, Inc.", L=San Francisco, ST=California, C=US
Copy

Import Behavior

Data is imported at application startup, if a file has changed.
If a file changes, existing data for that type and list is replaced entirely.
All internal (system-managed) reputation data is updated after installation.
External (customer) reputation data can be modified and re-imported at any time.

Restart Sandbox to trigger the data import

Bash
    
 
sudo service sandbox restart
Copy

Validation and Logs

All entries are validated during import based on type.
Invalid entries are skipped silently.
To ensure full effectiveness, customers advised to check the logs for any skipped entries or formatting errors.

Example transform logs for successful import and migration with an invalid data entry:

It is advised to check the logs for any skipped entries or formatting errors.

Import log
    
INFO Starting reputation data migration...INFO External reputation data migration completed successfullyINFO Reloading reputation data from file: /home/akos/workspace/sandbox/fstransform/data/reputation/internal/md5_allowed.txtINFO Reloaded 1736511 entries from changed file: md5_allowed.txt ...INFO Reloading reputation data from file: <sandbox>/fstransform/data/reputation/internal/ip_blocked.txtERROR Failed to parse reputation data line: Invalid IP format. Must be a valid IPv4 or IPv6 address: 212.111.1.212.226INFO Reloaded 455823 entries from changed file: ip_blocked.txtINFO Reloading reputation data from file: <sandbox>/fstransform/data/reputation/internal/url_allowed.txtINFO Reloaded 18 entries from changed file: url_allowed.txt
Copy

Migration of Old External Data

Legacy external reputation data is automatically migrated during the first startup after the installation of version 2.3.0 or later.
A migration marker file indicates completion of the migration step: <sandbox>/transform/data/reputation/external/.reputation_migration_completed

Additional Allow List Behavior

URL Matching: A URL is allowed or blocked based on its domain's presence in the allow/block list.
IP Matching: An IP is considered allowed if it:
- Matches exactly
- Is a network address - see transform configuration setting ignoreNetworkIPs
- Is a broadcast address - see transform configuration setting ignoreBroadcastIPs
- Falls within an allowed subnet - see transform configuration setting whitelistHostsCIDR

Last updated on

Was this page helpful?